We're about to get an IDS system which will require a spanned port on the inside of our network. Inside our network we have a few 6500's so I'd span a port on one of our core switches...my question is, there is definetly more then 1GB of traffic going through the core at any time...how would I get all this traffic to the IDS system? Would I just create an etherchannel and use it as a destination, and plug all the ports into the IDS?
For one thing, you need to verify that your IDS can handle the amount of traffic you are throwing at it... Next, just create a SPAN port on the 6500 for the VLANs you want to monitor. Or if you have more than one switch, creat SPANs on all of them. You should have plenty of port density on your sensor. If you do not have enough ports, you may have to look into RSPAN.
I do have plenty of port density on the IDS. I guess my question is, how do you avoid over subscription on a destination port? I could send a group of ports to a single destination...however you can only have a total of two local span sessions set up on a 6509 (sup 720), and with the amount of traffic we send it won't take that many ports to oversubscribe a destination port.
Also if you do oversubscribe a destination port...does affect traffic on the source ports in anyway? I didn't think it would, but then I read somewhere that it might.
I am not sure what Cisco recommends to do in your situation... I have not seen a SPAN port getting overloaded, though. At my past job, we had numerous large credit union customers, and they never had any issues with their SPAN ports getting oversubscribed. Not to say it is not possible, though.
I don't believe the source ports would be affected if the destination gets oversubscribed; however, I am not an expert on Cisco Switching, so I can't be certain.
Thanks for that link. According to that link you have to have seperate IDS's attached to the etherchannel (one per port):
"The IPS appliances must be in on-a-stick mode, meaning that the IPS appliance can only use one sensing port on that Catalyst switch. That port is trunked so that the IPS appliance has an inbound and outbound path to and from the switch."
Am I reading that wrong? Can I have one IPS with three or four ports attached to the same switch in an etherchannel?
It's starting to sound like I'm going to have to limit what ports I source...which means the IDS could potentially miss a threat or report it later then it could....
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :