Solved: Re: IDSM-2 data-ports

david.white · ‎07-21-2010

Hi,

I have taken over managing a 6500 IDSM-2 implementation, as far as I can see it has been configured in

Promiscuous Mode with a single virtual sensor assigned to both data ports 0/7 & 0/8.

The switch has been configured with the following commands:

intrusion-detection module 8 management-port access-vlan 507
intrusion-detection module 8 data-port 1 access-vlan 507

monitor session 66 source vlan 501 - 509 , 518 - 520 , 601 - 613
monitor session 66 destination intrusion-detection-module 8 data-port 2

can anyone tell me why the second command utilsed data port 1 and the bottom command utilises data port 2, is this valid and recommended?

Thanks

D

Siddharth Chandrachud · ‎07-21-2010

So a little bit about IDSM architecture.

IDSM has one management or command and control port (gig0/2) and 2 data ports (gig0/7 & gig0/8)

These ports on IDSM connect to the 6500 over the backplane.

IDSM Gig0/7 connects to Data-port 1 on 6500.

IDSM Gig0/8 connects to Data-port 2 on 6500.

The configuration involves two things:

1. Configuring IDSM (Date, Time, Assigning virtual sensors to interfaces, signature tuning etc...)

2. Configuring 6500 to send traffic to IDSM.

Are you planning to put the IDSM in promiscuous or inline mode ?

The configuration on the 6500 is different for both the modes.

Configuration:

intrusion-detection module 8 management-port access-vlan 507

This puts the management port in vlan 507

intrusion-detection module 8 data-port 1 access-vlan 507

Puts data-port 1 in vlan 507. This is typically done in inline mode.

monitor session 66 source vlan 501 - 509 , 518 - 520 , 601 - 613
monitor session 66 destination intrusion-detection-module 8 data-port 2

This is a span configuration which is sending a copy of the data from the vlans to data-port 2.

This is done when IDSM operates in promiscuous mode.

So in your case, the correct configuration on 6500 to send traffic to IDSM depends which mode you want the IDSM to run in.

Please check the link below which will explain how to configure 6500 for promiscuous or inline mode IDSM configuration.

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_idsm2.html

Let me know if you have any questions.

- Sid

View solution in original post

Siddharth Chandrachud · ‎07-21-2010

So a little bit about IDSM architecture.

IDSM has one management or command and control port (gig0/2) and 2 data ports (gig0/7 & gig0/8)

These ports on IDSM connect to the 6500 over the backplane.

IDSM Gig0/7 connects to Data-port 1 on 6500.

IDSM Gig0/8 connects to Data-port 2 on 6500.

The configuration involves two things:

1. Configuring IDSM (Date, Time, Assigning virtual sensors to interfaces, signature tuning etc...)

2. Configuring 6500 to send traffic to IDSM.

Are you planning to put the IDSM in promiscuous or inline mode ?

The configuration on the 6500 is different for both the modes.

Configuration:

intrusion-detection module 8 management-port access-vlan 507

This puts the management port in vlan 507

intrusion-detection module 8 data-port 1 access-vlan 507

Puts data-port 1 in vlan 507. This is typically done in inline mode.

monitor session 66 source vlan 501 - 509 , 518 - 520 , 601 - 613
monitor session 66 destination intrusion-detection-module 8 data-port 2

This is a span configuration which is sending a copy of the data from the vlans to data-port 2.

This is done when IDSM operates in promiscuous mode.

So in your case, the correct configuration on 6500 to send traffic to IDSM depends which mode you want the IDSM to run in.

Please check the link below which will explain how to configure 6500 for promiscuous or inline mode IDSM configuration.

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_idsm2.html

Let me know if you have any questions.

- Sid

david.white · ‎07-22-2010

Thanks for the quick response Sid.

Okay that make sense, I looks like the IDS has been deployed as promiscuou, so I can removed the data port 1.

Thanks for you help.

D