I am going to be rolling out some blades to our 6500's. I have done a lot of research but I figured I might as well ping the experienced guys on this one. What considerations should I make before just slapping these things in? For example, what amount of memory should I have on the 6500? What do I need to look at in terms of throughput...should I be putting 2 blades in one chassis to double my throughput...how can I find out? I would like to also know what some of the basic first steps are to getting it inline but only in passive mode. I do not understand how this works with VLANs and portchannels and other stuff I have read that has confused me. The blade doesn't have any ports but I keep hearing that it has 8 ports. Also, I have an accelerator module in one of the blades...does this come with all blades? Any advice you can give for a first-timer would be appreciated.
Eight ports are not physical, they are logical. You will find them if you poll the device via snmp etc. 7 and 8 are sensing. One is command control. Others you need not worry about.
You can check the throughput via any network monitoring tool. Decide which VLANs you want inspected, and then check via netflow/snmp how much bandwidth is usaully in those VLANs.
Promiscuous or Inline VLAN pair depends on where/what the sensor is placed/protects.
Thanks. How can I determine which sensing method is best to use out of SPAN, VACL capture, inline interface pairs, or inline VLAN pairs?
Also, I understand that there are 3 partitions, is that right? An application, maintenance, and recovery partition? What is the maintenance partition?
SPAN/VACLs are just two different ways to feed the same mode (Promiscuous). Promiscuous is actually an 'old' IDS type of deployment in which you cannot use many useful actions like Deny Connection Inline,Deny Packet etc. An INLINE IPS has a 'better view' of the network. But can be a bottleneck on your network. If the IDSM can offer the throughput required to be monitored, I would go with INLINE VLAN Pair. Specially combined with FWSM it would help you understand the flow better.
I am sure that the 600Mbps is not enough throughput for us. It would bottleneck the traffic...but I don't know for sure. So if I understand you right, I cannot actually make this an IPS unless I can use it INLINE....makes sense.
How would it work with INLINE VLAN pair in conjunction with the FWSM? Would the traffic hit the IPS before the FWSM or after it hits the FWSM?
Could you explain how it would help me understand the flow better by putting it inline?
In the standard design it would hit the IPS twice for each flow.
(This is a sample Layer 2 Flow for MSFC Outside Topology, FWSM is the default gateway)
Workstation >> Floor Switch >> IDSM >> FWSM >> IDSM >> Servers's Switch >> Server
This is just an example.
can I put it inline and only monitor/deny traffic to certain interface vlans, say for instance a server vlan or server farm...similar to how you only trunk some vlans to the fwsm.
Yes in INLINE VLAN Pair, for sure you can. Only the VLANs you allow on the IDSM trunk will go through to the IDSM. Others will go the FWSM directly. For those VLANS the VLAN on the access layer switch and FWSM VLAN interface will be identification (lets say 100 on both). But for the ones you want to INSPECT with IDSM, the access layer VLAN will be say 100 but the one on FWSM will be 700. The IDSM will bridge 100 >> 700 VLANs.
Let me get this straight, I would have to change the VLAN#s on the FWSM and use the curent ones to make a beidge to the IDSM. So for instance, prior to IDSM deployment, I will have VLAN 100 trunked to the FWSM, then I deploy the IDSM and I have to trunk VLAN 100 to the IDSM insead of the FWSM, then I would change VLAN 100 to VLAN 700 on the FWSM and do a bridge to the FWSM because the FWSM cannot accept VLAN100?
What about ATM circuits and routable ports on the 6500? How do you logically make them go through the IDSM? Basically can you be trunking VLANs to the FWSM as well as routable ports and circuits at the same time?
Can you answer my questions about the partitions? What are the maintenance and recovery partitions? Do I need to upgrade them both to the version of the application partition? I would like to keep a recovery partition for backup...does it need to be the same exact major and minor version as the application partition? If I have upgrade a sensor from 4.1, then 5.0, and then 6.1, do I have to do the same with the recovery partition? Do I have to do them together, meaning when I bring one up to the new version, I have to bring the other up to the new version, also?
I have no clue as to what I might need to do with the maintenance partition.
Once you do an upgrade on the IDSM, the recovery partition is AUTOMATICALLY updated. So it always stays in sync. The maintenance password does not update automatically, but you can do it manually I think. But its seldom required to play around with it. You can give a special parameter to the IDSM module to 'boot' using the maintenance partition.
Please rate if helpful.