Network traffic reaches the IDSM in one of the two ways: Traffic is copied to the IDSM based on security VLAN access control lists (VACLs) or Traffic is routed to the IDSM via the switch's Switched Port Analyzer (SPAN) port feature. User can thus specify traffic based on switch ports, VLANs, or traffic type to be inspected. Remember, IDSM Requires Catalyst Operating System Version 6.1(1) or higher.
The following documents will help answer your questions
1) Data Sheet: Catalyst 6000 Intrusion Detection System Module
1) The limit is around 120M worth of traffic into your capture port.
2) You can monitor/capture traffics via the VACL or SPAN command. By default the capture is put into the trunk port so you will capture everything. If you want to capture only certain ports, set up a VACL mapping to different VLANs or SPAN certain ports only. You may also want to prune off the other VLANs from the capture port.
Small correction. You can place more than 2 IDSMs into a switch.
You can technically place an IDSM into every available slot in the switch (max of 12 IDSMs in a 6513 in other words).
The real issue isn't the max number of IDSMs, but that max number of ways to send traffic to the IDSM.
If you are just using Span, then in general you are limited to 2 Span sessions (therefore 2 IDSMs). NOTE: There are some Span scenarios where more than 2 Spans can be used - reference the Cat 6K Span documentation.
If you are using VACL Capture and have an MSFC that is doing routing, then a single VACL Capture port (one IDSM) has to be used to monitor all of the vlans being routed because of interactions between VACL Capture and the MSFC routing features.
If you are using VACL Capture and do not do routing with the MSFC, then you can have a separate VACL Capture port for every vlan, or have each VACL Capture port monitor a group of Vlans. So in this scenario you could theoretically have 12 different groups of Vlans, and 12 IDSMS in a Cat 6513 with each IDSM monitoring a different vlan group. The limitation is that each vlan group would have to have only about 100Mbps of traffic being captured.
NOTE: In most deployments the IDSM will only be able to monitor packets that travel through the switch on which it is deployed (with either Span or VACL Capture). If you want to monitor packets from other switches then you will have to use Rspan to monitor the packets (only one Rspan session is supported).
The sensor needs to see both client packets and server packets to properly construct TCP streams. Without seeing both sides of the connection the sensor can not alarm properly. This is the big issue since the sensor will generate false alarms in some cases and not generate some alarms when there is a real attack.
Also each time a connection is opened, the sensor will keep it in memory until the connection is shutdown or until an internal timer times out. If the sensor sees only half the connection it sometimes can not tell when the connection is shutdown so winds up keeping the connection in memory until the internal timer runs out. This can result in large numbers of closed connections still being tracked in active memory by the sensor and can slow sensor performance.
When the MSFC is involved with VACL Capture, the packets get marked for capture on the Vlan where they leave the switch.
So the client packets get captured on the server vlan, and the server packets get captured on the client vlan.
Therefore, the sensor has to monitor both of the vlans to see the entire session.
Only monitoring one vlan would leave the sensor only monitoring half the session which leads to the problems I described above.
If the MSFC is routing between 20 vlans then the sensor has to monitor all 20 vlans.
So you could use multiple IDSMs, but for the IDSMs to monitor properly and not experience performance issues each IDSM would have to monitor all the vlans being routed by the MSFC resulting in all the IDSMs seeing the exact same traffic.
Without the MSFC the server vlan and client vlan are the same vlan so when there is no MSFC you can use a separate IDSM for each vlan.
There is one situation where one IDSM monitors with VACL Capture on all the vlans being routed by the MSFC, and second IDSM is deployed but the second IDSM uses Span instead of VACL Capture.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...