cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1063
Views
5
Helpful
1
Replies

Intrusion-detection-module 7 data-port 2: Capture not allowed on a SPAN destination port

pslavkovsky
Level 1
Level 1

Hi all

I have 2 switches Cat6509E. each with IDSM module

I have on first switch this commands

intrusion-detection module 7 data-port 1 capture
intrusion-detection module 7 data-port 2 capture
intrusion-detection module 7 data-port 1 capture allowed-vlan 4,6,16,17,66
intrusion-detection module 7 data-port 2 capture allowed-vlan 68,70,74,134,145

And when I trying to put the same on second switch I will get this error message

Intrusion-detection-module 7 data-port 2:  Capture not allowed on a SPAN destination port

What does it mean?

Output "sh monitor" is the same on both switches

Session 1
---------
Type                   : Service Module Session
Modules allowed        : 1-9
Modules active         : 1,7
BPDUs allowed          : Yes


Session 2
---------
Type                   : Local Session
Source VLANs           :
    Both               : 4
Destination Ports      : analysis-module 8 data-port 1

Peter

1 Reply 1

Justin Teixeira
Level 1
Level 1

Hi Peter,

     The first switch that you mention is configured (judging from the "intrusion-detection" commands) to use the VACL capture method of sending traffic to the IDSM-2 for inspection.  You can read about this method here:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_idsm2.html#wp1030828

In short, you configure a VACL to define the traffic you want to capture and apply it to the appropriate VLANs.  When traffic matches the VACL, it's copied to the IDSM-2 ports that have been configured with the "intrusion-detection module 7 data-port 1  capture" commands.

On the second switch it appears that there is a monitor session setup SPANing traffic to the IDSM-2 port.  This is an alternative method of sending trafic to the IDSM-2 for inspection and is mutually exclusive with the VACL method on a particular IDSM-2 interface.  You can read about the SPAN method here:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_idsm2.html#wp1030816

This method, in short, simply involves configuring a SPAN session with the IDSM-2 interface as the desination.


You'll need to choose one method or the other for configuring the second switch.  If you want it to match the configuration on the first switch, simply remove the monitor (SPAN) session that's currently configured.

Best Regards,

Justin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: