Unanswered Question
May 11th, 2008

Hi All

Does anyone have any documentation that compares and contrasts between CISCO ASA 5520 AIP and the IDS module in CISCO 6509 catalyst.

Thanks in advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
marcabal Sun, 05/11/2008 - 20:57

The AIM SSM modules and the IDSM-2 (cat 6k module) all run the same IPS versions and in fact use the same upgrade images.

(Their System Images differ but that is only because the ROMMON on the SSM expects a different format than the maintenance partition of the IDSM-2. But the resulting files being installed on the SSMs and the IDSM-2 are exactly the same.)

From a feature standpoint the SSMs and the IDSM-2 all have the same set of features with the exception of how the modules interfacs are configured for receiving packets to monitor.

The IDSM-2's interfaces are configured similar to the IPS appliance interfaces. The IDSM-2 has 2 monitoring interfaces that can either each be configured for promiscuous mode, or inline vlan pair mode, or can be used together for an inline interface pair mode.

The SSM, however, only has a single internal monitoring interface. But this does not limit the SSM because it is able to do both monitoring in promiscuous mode as well as inline mode on that single interface. It is also able to monitor with multiple virtual sensors on that single interface.

It is able to do this because the configuration of what packets to monitor is Not configured on the SSM, but is instead configured within the ASA configuration. Within the ASA configuration you can configure policies which can dictate which classes of traffic need to be monitored promiscuously by the SSM, or inline by the SSM, and by which virtual sensor of the SSM.

This is often an advantage over what the IDSM-2 and appliances are capable of. By configuring traffic to monitor from within an ASA policy the user actually has more granular control of what traffic to monitor, and how it should be monitored by the SSM.

Some things to keep in mind.

For the IDSM-2 to work in promiscuous mode the traffic does have to pass through the switch, and for inline vlan pair or inline interface pair modes it must also pass through the IDSM-2.

Similarly for the SSM to work in promiscuous mode the traffic does have to pass through the ASA, and for inline mode it muyst also pass through the SSM.

So much of the decision will be based on whether or not your traffic is already passing through a Cat 6K switch or through an ASA.

All other features such as what attacks/signatures can be monitored, what actions the sensor can take, and how the user monitors the sensor are all the same.

Performance is the only other difference. The IDSM-2 is fairly comparable to the performance of the new SSM-40 (recently announced).

The IDSM-2 is faster than the SSM-10 and SSM-20.


This Discussion