Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

IDS module setup, what traffic to capture

I have a WS-SVC-IDSM-2 that I have been tasked to setup. Currently the focus is around our pair of ASA’s that are used for internet access but the scope could increase. I am getting some conflicting information on how to setup the packet capture to the IDS module. I am leaning towards VACLS but I keep wondering if I do that will I miss traffic somewhere? As an example if I setup the VACL to capture TCP port 80,443, and 25 I am afraid I may miss some type of traffic on that VLAN. How do I determine what traffic I should send to the IDS module?

Cisco Employee

Re: IDS module setup, what traffic to capture

Well, it all depends on what traffic is going through your network.

If you have apps different than email, http and https that you want to be IDS protected then you would need to expand the VACL.

You can use Netflow to see what applications are running through the network.

Then you can decide which ones you don't trust and want the IDS to monitor.

I hope it helps.


Cisco Employee

Re: IDS module setup, what traffic to capture

In addition to Panos' recommendations on methods for determining traffic to inspect with the IDSM-2, also keep in mind that the IDSM-2 is rated to inspect ~500 Mbps of traffic.  If the traffic you will be sending to the IDSM-2 exceeds that amount, it will most likely not be inspected.

That you mention having ASAs in your environment, have you considered deploying Cisco's AIP-SSM within the ASA?  There are multiple models for different traffic requirements, and they can inspect traffic that is flowing through the ASA.  You can find out more about the AIP-SSM here:


Community Member

Re: IDS module setup, what traffic to capture

When using a VACL to capture traffic on a 6500 I want to capture several types of traffic on my internal LAN. I have the VACL to do this. I also want to make sure I capture everything destined for and sourced from my ASA. Can I use a MAC ACL to capture the traffic? If I capture the traffic with a MAC ACL and apply that to the VACL will the IPS device process it?

CreatePlease to create content