IDSM2 Configuration

Unanswered Question
Jul 23rd, 2009

Hi

I hav2 2 6509 switches which are working as core switches.In each 6509 i have IDSM-2 module.The Aggregation 6509 switches are doing the routing for the vlans and connected to core 6509 from where traffic exit for wan & internet.

In my IDSM2 i am planning to capture the traffic of uplink ports coming from Aggregation to core .which mode of IDSM would be preferred.

can i connect the workstation to capture the IDSM events.will the workstation and management vlan id of idsm should be in same subnet or it can be in diffrent subnet and reachable via routing.

I have 2 data ports on the cards so all uplinks traffic should be captured to both data ports or divided among 2 data ports.

will the vlan monitoring would be better option than physical uplink port monitoring

pl share any sample config available for the same???

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
vmoopeung Wed, 07/29/2009 - 05:44

Operating in Inline Interface Pair mode puts the Intrusion Prevention System (IPS) directly into the traffic flow and affects packet-forwarding rates, which makes them slower when latency is added. This allows the sensor to stop attacks so it drops malicious traffic before it reaches the intended target, thus it provides a protective service. Not only is the inline device processing information on Layers 3 and 4, but it also analyzes the contents and payload of the packets for more sophisticated embedded attacks (Layers 3 to 7). This deeper analysis lets the system identify and stop and/or block attacks that normally pass through a traditional firewall device.

In Inline Interface Pair mode, a packet comes in through the first interface of the pair on the sensor and out the second interface of the pair. The packet is sent to the second interface of the pair unless that packet is being denied or modified by a signature.

sameermunj Thu, 07/30/2009 - 03:05

Hi

Thanks for the reply..

I have configured a port on my core with same vlan id which is used for IDSM management vlan and able to telnet to idsm managememt vlan ip.how can i see the events happening on the console or traffic statatics.

can you share the inline interface pair mode configuration for reference.IDSM configuration guide has the details but not getting clear.

rhermes Thu, 07/30/2009 - 06:19

You can see events on the console with the "show event alert past 01:00"

You can watch your stats with the "show analysis stat" command.

Actions

This Discussion