Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

IDSM2 on 6500-IOS inline mode support?

Hi,

I have an IDSM-2 running IPS5.1(1d) software (recently upgraded from 4.x) that is sitting on a 6500 IOS.

The IPS device manager shows gi0/7 and gi0/8 as both in Promiscuous mode. There is no option to change the mode to inline and pair them.

Is it so that IDSM-2 currently supports only Promiscuous mode?

If so, then this module is still acting as an IDS despite running IPS5.1. Isn't it? What is the advantage that I get after upgrading it from 4.x to 5.1?

-- Vasanth

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: IDSM2 on 6500-IOS inline mode support?

There are 2 pieces to the puzzle.

There is the IDSM-2 version and what it supports, but also the Cat 6K Native IOS version and what it supports.

IDSM-2 v5.1(1d) supports

a) Promiscuous mode,

b) InLine Interface Pair mode (2 interfaces are paired for inline monitoring), and also

c) InLine Vlan Pair mode (2 vlans on a single interface are paired for inline monitoring, you will also see it called inline-on-a-stick)

But for these features to be used, the switch code must also support configuring the switch side of the IDSM-2 for each of these 3 features.

Native IOS Versions prior to 12.2(18)SXE will support only Promiscuous mode on the IDSM-2.

12.2(18)SXE and later versions will support InLine Interface Pair mode on the IDSM-2.

No Native IOS versions currently support InLine Vlan Pair mode on the IDSM-2 (a new Native IOS versions with this support is currently in development).

So to get Inline (IPS) functionality you need to be running a Native IOS version 12.2(18)SXE or later, and on the IDSM-2 run IPS versions 5.1 (or even the older 5.0).

(NOTE: Cat OS 8.5(1) does support all 3 modes of the IDSM-2. So if you are using Cat OS instead of Native IOS, then run version 8.5(1) to have access to all of the features of IPS 5.1(1) on the IDSM-2)

If you are running a Native IOS version prior to 12.2(18)SXE then the IDSM-2 can only be operated in Promiscuous mode even if 5.1(1) is loaded on the IDSM-2.

However, even in promiscuous mode the IPS 5.1(1) software does have a few advantages.

There are several engines, and engine parameters that are only supported in the 5.1 version and not the 4.0 version. So there are several signatures that are either a) not even created for 4.x sensors, or b) the 4.x signature is not as precise as the 5.x signature in the new engines.

(These new engines have proved invaluable in writing signatures to detect some of the new attacks that have come out over the past year.)

There are of course other advantages as well:

For example:

1) Risk Rating to better aid in prioritization of alerts.

2) More flexible fitlering mechanism for alerts that allows for fitlering individual actions

The 2 features above are just 2 of the new features that have been added in 5.0 and 5.1 that apply to both promiscuous and inline modes.

2 REPLIES
Cisco Employee

Re: IDSM2 on 6500-IOS inline mode support?

There are 2 pieces to the puzzle.

There is the IDSM-2 version and what it supports, but also the Cat 6K Native IOS version and what it supports.

IDSM-2 v5.1(1d) supports

a) Promiscuous mode,

b) InLine Interface Pair mode (2 interfaces are paired for inline monitoring), and also

c) InLine Vlan Pair mode (2 vlans on a single interface are paired for inline monitoring, you will also see it called inline-on-a-stick)

But for these features to be used, the switch code must also support configuring the switch side of the IDSM-2 for each of these 3 features.

Native IOS Versions prior to 12.2(18)SXE will support only Promiscuous mode on the IDSM-2.

12.2(18)SXE and later versions will support InLine Interface Pair mode on the IDSM-2.

No Native IOS versions currently support InLine Vlan Pair mode on the IDSM-2 (a new Native IOS versions with this support is currently in development).

So to get Inline (IPS) functionality you need to be running a Native IOS version 12.2(18)SXE or later, and on the IDSM-2 run IPS versions 5.1 (or even the older 5.0).

(NOTE: Cat OS 8.5(1) does support all 3 modes of the IDSM-2. So if you are using Cat OS instead of Native IOS, then run version 8.5(1) to have access to all of the features of IPS 5.1(1) on the IDSM-2)

If you are running a Native IOS version prior to 12.2(18)SXE then the IDSM-2 can only be operated in Promiscuous mode even if 5.1(1) is loaded on the IDSM-2.

However, even in promiscuous mode the IPS 5.1(1) software does have a few advantages.

There are several engines, and engine parameters that are only supported in the 5.1 version and not the 4.0 version. So there are several signatures that are either a) not even created for 4.x sensors, or b) the 4.x signature is not as precise as the 5.x signature in the new engines.

(These new engines have proved invaluable in writing signatures to detect some of the new attacks that have come out over the past year.)

There are of course other advantages as well:

For example:

1) Risk Rating to better aid in prioritization of alerts.

2) More flexible fitlering mechanism for alerts that allows for fitlering individual actions

The 2 features above are just 2 of the new features that have been added in 5.0 and 5.1 that apply to both promiscuous and inline modes.

New Member

Re: IDSM2 on 6500-IOS inline mode support?

This is very informative.

I am currently evaluating what kind of method to apply in my 6500. I would like to ask if IOS 12.2(18)SXE support inline mode with IDSM2 what configuration should be done with the switch in order for the traffic to flow with the inline interface of the IDSM2? In my case I have many vlan configured in my switch and I want all traffic to flow inline with the IDSM2.

Many Thanks in advnace.

256
Views
0
Helpful
2
Replies
CreatePlease to create content