IDSM-2 data-ports

Answered Question

Hi,

I have taken over managing a 6500 IDSM-2 implementation, as far as I can see it has been configured in

Promiscuous  Mode with a single virtual sensor assigned to both data ports 0/7 & 0/8.

The switch has been configured with the following commands:

intrusion-detection module 8 management-port access-vlan 507
intrusion-detection module 8 data-port 1 access-vlan 507

monitor session 66 source vlan 501 - 509 , 518 - 520 , 601 - 613
monitor session 66 destination intrusion-detection-module 8 data-port 2

can anyone tell me why the second command utilsed data port 1 and the bottom command utilises data port 2, is this valid and recommended?

Thanks

D

I have this problem too.
0 votes
Correct Answer by Siddharth Chand... about 6 years 4 months ago

So a little bit about IDSM architecture.

IDSM has one management or command and control port (gig0/2) and 2 data ports (gig0/7 & gig0/8)

These ports on IDSM connect to the 6500 over the backplane.

IDSM Gig0/7 connects to Data-port 1 on 6500.

IDSM Gig0/8 connects to Data-port 2 on 6500.

The configuration involves two things:

1. Configuring IDSM (Date, Time, Assigning virtual sensors to interfaces, signature tuning etc...)

2. Configuring 6500 to send traffic to IDSM.

Are you planning to put the IDSM in promiscuous or inline mode ?

The configuration on the 6500 is different for both the modes.

Configuration:

intrusion-detection module 8 management-port access-vlan 507

This puts the management port in vlan 507

intrusion-detection module 8 data-port 1 access-vlan 507

Puts data-port 1 in vlan 507. This is typically done in inline mode.

monitor session 66 source vlan 501 - 509 , 518 - 520 , 601 - 613
monitor  session 66 destination intrusion-detection-module 8 data-port 2

This is a span configuration which is sending a copy of the data from the vlans to data-port 2.

This is done when IDSM operates in promiscuous mode.

So in your case, the correct configuration on 6500 to send traffic to IDSM depends which mode you want the IDSM to run in.

Please check the link below which will explain how to configure 6500 for promiscuous or inline mode IDSM configuration.

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_idsm2.html

Let me know if you have any questions.

- Sid

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Siddharth Chand... Wed, 07/21/2010 - 09:14

So a little bit about IDSM architecture.

IDSM has one management or command and control port (gig0/2) and 2 data ports (gig0/7 & gig0/8)

These ports on IDSM connect to the 6500 over the backplane.

IDSM Gig0/7 connects to Data-port 1 on 6500.

IDSM Gig0/8 connects to Data-port 2 on 6500.

The configuration involves two things:

1. Configuring IDSM (Date, Time, Assigning virtual sensors to interfaces, signature tuning etc...)

2. Configuring 6500 to send traffic to IDSM.

Are you planning to put the IDSM in promiscuous or inline mode ?

The configuration on the 6500 is different for both the modes.

Configuration:

intrusion-detection module 8 management-port access-vlan 507

This puts the management port in vlan 507

intrusion-detection module 8 data-port 1 access-vlan 507

Puts data-port 1 in vlan 507. This is typically done in inline mode.

monitor session 66 source vlan 501 - 509 , 518 - 520 , 601 - 613
monitor  session 66 destination intrusion-detection-module 8 data-port 2

This is a span configuration which is sending a copy of the data from the vlans to data-port 2.

This is done when IDSM operates in promiscuous mode.

So in your case, the correct configuration on 6500 to send traffic to IDSM depends which mode you want the IDSM to run in.

Please check the link below which will explain how to configure 6500 for promiscuous or inline mode IDSM configuration.

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_idsm2.html

Let me know if you have any questions.

- Sid

Actions

This Discussion