Re: Dual interfaces on a Cisco Secure IDS?

squigg · ‎09-19-2002

I have been reliably told a Cisco Secure IDS can actually monitor two switches at once by direct physical connection (Note we are not and will not be using IDS modules in the switches, but physically seperate Cisco Secure system).

Unfortunately none of the Cisco Secure litreture indicates it is possible to have more than one monitoring interface, except the IDS4250 which has an optionalt 1000BASE-SX interface, but this seems more for connecting fibre connections, but not at same time as ethernet.

Reason for this is that we are designing a fully redundant architecture, so we obviously have dual switches at all stages of the network. We don't want to have a seperate IDS for each switch, but obviously we need to be able to see all traffic in that layer.

Can anyone clarify this, or do we actually need a seperate IDS for each switch ... a cost and management nightmare!

thanks!

klwiley · ‎09-19-2002

The current appliances do not support monitoring on more than one port simultaneously. Late this year or early next year with the introduction of the 4.0 release and the 4250-XL the 4250-XL will have this capability.

marcabal · ‎09-19-2002

With the currently deployed CIsco appliances, each appliance has only one sniffing interface.

You would need to aggregate feeds from both switches into another switch and then from that third switch send the packets to the sensor. If only monitoring 100Mbps then you could use a hub instead of a 3rd switch, but for higher than 100Mbps you would need a 3rd switch for aggregation.

Or use 2 separate IDS sensors, one for each switch.

As for future appliances you would need to talk with a Cisco Sales Representative.