spanned port for IDS

Unanswered Question

We're about to get an IDS system which will require a spanned port on the inside of our network. Inside our network we have a few 6500's so I'd span a port on one of our core switches...my question is, there is definetly more then 1GB of traffic going through the core at any time...how would I get all this traffic to the IDS system? Would I just create an etherchannel and use it as a destination, and plug all the ports into the IDS?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

For one thing, you need to verify that your IDS can handle the amount of traffic you are throwing at it... Next, just create a SPAN port on the 6500 for the VLANs you want to monitor. Or if you have more than one switch, creat SPANs on all of them. You should have plenty of port density on your sensor. If you do not have enough ports, you may have to look into RSPAN.


Jay

I do have plenty of port density on the IDS. I guess my question is, how do you avoid over subscription on a destination port? I could send a group of ports to a single destination...however you can only have a total of two local span sessions set up on a 6509 (sup 720), and with the amount of traffic we send it won't take that many ports to oversubscribe a destination port.


Also if you do oversubscribe a destination port...does affect traffic on the source ports in anyway? I didn't think it would, but then I read somewhere that it might.

I am not sure what Cisco recommends to do in your situation... I have not seen a SPAN port getting overloaded, though. At my past job, we had numerous large credit union customers, and they never had any issues with their SPAN ports getting oversubscribed. Not to say it is not possible, though.


I don't believe the source ports would be affected if the destination gets oversubscribed; however, I am not an expert on Cisco Switching, so I can't be certain.



Thanks for that link. According to that link you have to have seperate IDS's attached to the etherchannel (one per port):


"The IPS appliances must be in on-a-stick mode, meaning that the IPS appliance can only use one sensing port on that Catalyst switch. That port is trunked so that the IPS appliance has an inbound and outbound path to and from the switch."


Am I reading that wrong? Can I have one IPS with three or four ports attached to the same switch in an etherchannel?


It's starting to sound like I'm going to have to limit what ports I source...which means the IDS could potentially miss a threat or report it later then it could....

Actions

This Discussion