Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IDSM on catalyst 6500 to provide IOS Inline mode support

I am currently evaluating what kind of method to apply in my 6500. I would like to ask if IOS Version 12.2(33)SXI2a  support inline mode and inline vlan pair mode with IDSM-2???what configuration should be done with the switch in order for the multiple vlan traffic to flow with an inline interface of the IDSM2??? In my case I have 16 user vlans and 1 server vlan on catalyst 6500...The task is to protect the servers from users....The requirement is to configure inline mode to monitor the traffic from these 16 vlans when they access the servers...But as we know the IDSM-2 has only two logical sensing ports...So my question is how will you configure the switch to forward the traffic from these 16 vlans to the IDSM-2 module via only ONE sensing port, since the other sensing port will be configured in the server vlan???  Because as far as i know, when you configure inline mode on IOS,you will have to configure the sensing ports in access mode( While in CatOS, you configure these as TRUNK ports)...But this will work when you have only two vlans...But in my case, I have 16 vlans to monitor in inline mode..Please suggest any solution.

Any urgent reply will be much grateful...

Many Thanks in advance

  • Intrusion Prevention Systems/IDS
3 REPLIES

Re: IDSM on catalyst 6500 to provide IOS Inline mode support

Dear Mubin

Based on the information you have provided 'Inline VLAN Pair' would be the way to go.  The IDSM will use an internal trunk port to communicate with the host switch (65xx), therefore you may trunk as many VLANs as you like.

Please let me know if you have any questions, myself and others have explained Inline VLAN configuration on multiple posts on this forum, please try the search  option, following are some links:

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_configuration_example09186a0080876d9f.shtml

https://supportforums.cisco.com/message/957467#957467

Please rate if helpful

Regards

Farrukh

New Member

Re: IDSM on catalyst 6500 to provide IOS Inline mode support

Dear Farrukh,

thanks for your kind reply...I know how to configure inline vlan pairs on the IDSM-2...But I am struggling with the configuration to be done on the catalyst 6500 to forward these 16 vlans traffic to the sensing(data) port...Should I follow the method described in the 4th post of the forum below:-

https://cisco-support.hosted.jivesoftware.com/thread/243831?tstart=0

But in the above forum,it has been mentioned that with Native IOS running on catalyst 6500,you are limited to only 1 pair of vlans for InLine monitoring because the Native IOS software does not have the capability to send the multiple vlan pair traffic to the IDSM-2.

Please if you could provide me a sample configuration about the configuration of the sensing ( data ) ports to be done on catalyst 6500 running Native IOS, it would me much helpful because i am really confused.

Thanks a lot in advance

Re: IDSM on catalyst 6500 to provide IOS Inline mode support

Hi Mubin,
   If you're looking to monitor all the traffic from the user VLANs to the server VLANs then the simplest way to configure the IDSM-2 would be inline on the server VLAN segment.  All traffic destined to the servers (from the users or anywhere else) has to traverse that VLAN.  Assuming you have something like this to start:

VLAN 100-120 (users) ====== Switch ------ VLAN 200 (servers)

you'd drop the IDSM-2 inline on VLAN 200 by using a helper VLAN:

VLAN 100-120 (users) ====== Switch ----- VLAN 201 (server gateway) ----- IDSM-2 (bridging 201 to 200) ----- VLAN 200 (servers)

To do this you'll need to perform the following steps:

1.  Designate a new VLAN to use as a helper VLAN for your current server VLAN.  I'll use 201 for this example and assume your current server VLAN is 200.

Create the helper VLAN on the switch:

switch# conf t
switch(config)# vlan 201

2.  Configure the IDSM-2 to bridge the helper VLAN and the server VLAN (200-201)

sensor# conf t
sensor(config)# service interface
sensor(config-int)# phsyical-interface GigabitEthernet0/7
sensor(config-int-phy)# admin-state enabled
sensor(config-int-phy)# subinterface-type inline-vlan-pair
sensor(config-int-phy-inl)# subinterface 1
sensor(config-int-phy-inl-sub)# vlan1 200
sensor(config-int-phy-inl-sub)# vlan2 201
sensor(config-int-phy-inl-sub)# description Server-Helper pair
sensor(config-int-phy-inl-sub)# exit
sensor(config-int-phy-inl)# exit
sensor(config-int-phy)# exit
sensor(config-int)# exit
Apply Changes:?[yes]:

3.  Configure the switch to trunk the helper and server VLANs to the IDSM-2 module.  I assume the module is in slot 5 in the example.  Replace the 5 with the correct slot for your deployment:

switch# conf t
switch(config)# intrusion-detection module 5 data-port 1 trunk allowed-vlan 200,201
switch(config)# intrusion-detection module 5 data-port 1 autostate include


*Warning! This next step may cause an outage if everything is configured correctly.  You'll probably want to schedule a window to do this.*

4.  Finally, force the traffic from the server VLAN through the IDSM-2 by moving the server VLAN gateway from VLAN 200 (where it is currently) to the helper VLAN you created.  To do this, remove the SVI from VLAN 200 and apply the same IP address to VLAN 201.  I assume the current server gateway is 192.168.1.1/24

switch# conf t
switch(config)#int vlan 200
switch(config-int)#no ip addr
switch(config-int)#int vlan 201
switch(config-int)#ip addr 192.168.1.1 255.255.255.0
switch(config-int)#exit
switch(config)#exit
switch# wr mem

Now, when the servers try to contact 192.168.1.1 (their gateway) they'll have to be bridged through the IDSM-2 to reach VLAN 201 and in the process all traffic destined to them or sourced from them will be inspected.  Do not put any hosts or servers in the helper VLAN (201) or they will not be inspected.

Best Regards,
Justin

743
Views
5
Helpful
3
Replies