Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Unable to configure IDSM for traffic analysis

i need some help in configuring the idsm2. I have configured the 6509 switch to capture network traffic using SPAN. i have mentioned vlan as source, for the source SPAN traffic. but after specifying the capture destination on the 6509 (a physical port on the 6509), i am confused about how to send this traffic from the captured port for analysis to virtual sensing port on the IDSM.Basically i am not able to map the phyical destination port on the switch to the virtual sensing ports.

The switch details are as follows.i have a 6509 switch with 7 modules.

module 1 and module 2 are GBIC

module 3 - IDSM

module 4 - FWSM

module 5 and module 6 - SUP 720 (actvie and hot )

MODULE 7 - 10/100/1000 rj-45

the network topology is as follows.

WAN BRANCHES-->>CORE ROUTER-->>Router with VAC-->>pix 535-->>msfc IDSM AND fwsm (6509)--->>>noc(data centre)

In the above diagram the traffic flows from the wan towards the data centre and vice versa .The FWSM is configured with the numerous VLANS required for the data centre. Thus all the traffic flow between the various vlans is either denied/permitted on the FWSM.

the traffic flow from the wan branches to the data centre first hits the PIX firewall and then hits the FWSM.Likewise traffic from the data centre to the wan branches first hits the FWSM and then the PIX firewall.

please help me with this problem at the earliest. Thanx in advance.

Community Member

Re: Unable to configure IDSM for traffic analysis

From what I understand, if the SPAN destination port is a physical port, then the SPANed traffic exits the physical port. For example, if you have connected a sniffer to observe the traffic. I am not sure how this traffic can be diverted to virtual sensor. May be you can try using RSPAN technique.

Re: Unable to configure IDSM for traffic analysis

Hi ... the IDSM2 has two internal ports .. these ports are the ones that will inspect the traffic so you need to specify any of this as the SPAN destination port .. by default are port 7 and 8 on the respective module whihc in your case is 3.

Steps for configuring VLAN

Configure an ACL

Create a VLAN access map

Match ACL to the access map

Define an action for the access map

Apply the access map to the VLANs

Configure capture ports

I hope it helps ... please rate if it does !!

CreatePlease to create content