We have an IDSM-2 module running 6.1(2)E3 in a 6500 with a sup-720 supervisor engine running 12.2(18) SXF11. We are using passive VLAN capture in promiscuous mode on the outgoing interfaces on our 6500. the config for the ids is as follows
Traffic enters the 6500 on several GRE tunnelled routed ports into seperate VRFs. The traffic is de-encapsulated then leaves the 6500 through other routed ports which are configured in separate vlans (which are in the VRFs). The vlans are all passive monitored by our IDS, at least that is the plan. The problem we have is that not all the traffic appears to be getting to the IDS. Using the IDM & eventviewer on our IDS workstation we can see tcp, udp etc but only at a low rate, 20packets/sec. We can test the IDS by looking for echo request/reply successfully. The incoming interfaces all have around 6,000 packets/sec of multicast (streaming video) arriving (this is the main traffic source) and this appears not to be monitored. Are we missing something in our config?
The "10" in "vlan access-map IDSMAP 10" is not an identifier like a VLAN number, it's an statement ordering number (like in line numbered programming). that "10" just means it's the first statement. You need to associate IDSMAP with the VLAN:
Then put that VLAN number into your vlan-list:
vlan filter IDSMAP vlan-list 666
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
I've had problems when limiting the "capture allowed-vlan" to just your interesting VLANs, but if your seeing some traffic from each VALN this doesn't seem to be a likely fix for your problem.
The other thing to test is to make your standard CAPTUREALL ACL and extended ACL:
ip access-list standard CAPTUREALL
permit ip any any
Once you get this working, then you can worry about sending duplicate packets to your IDSM for inter-VRF traffic. The IDSM will ignore them, but if you're running a lot of traffic, it may create more load on the sensor than necessary.
We have made a small breakthrough - we've changed our config from VACL to span capture and all of a sudden the IDS is receiving the multicast traffic. The vlans we were previously capturing on are in separate VRFs so we can't explain why IDS capture was working for unicast (ie icmp when testing and enabling the signatures for echo request / reply to show intrusions in the realtime dashboard) but not multicast. We are suspecting that it may be an issue specifically relating to multicast & VRFs and may raise a TAC case. Anyone out there agree?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...