Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IDSM

I know that IDSM occupied a slot on Catalyst 6000 and it permits to monitor traffic on a monitoring port directly on the backplane.

So my questions are:

-have i some limits in SPAN session, as i only have one destination port?

-Can i monitor different type of port (trunk port, promisquos port,community or isolated)?

-Can i put more IDSM on the same catalyst and in any way increase the capability of detection, using these switches in parallel?

  • Other Security Subjects
5 REPLIES
New Member

Re: IDSM

Network traffic reaches the IDSM in one of the two ways: Traffic is copied to the IDSM based on security VLAN access control lists (VACLs) or Traffic is routed to the IDSM via the switch's Switched Port Analyzer (SPAN) port feature. User can thus specify traffic based on switch ports, VLANs, or traffic type to be inspected. Remember, IDSM Requires Catalyst Operating System Version 6.1(1) or higher.

The following documents will help answer your questions

1) Data Sheet: Catalyst 6000 Intrusion Detection System Module

http://www.cisco.com/warp/customer/cc/pd/si/casi/ca6000/prodlit/6kids_ds.htm

2) Catalyst 6000 Intrusion Detection System Module Installation and Configuration Note

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/idsm/idsm_1/10890_02.htm

3) Catalyst 6000 Intrusion Detection System Module

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/idsm/

New Member

Re: IDSM

1) The limit is around 120M worth of traffic into your capture port.

2) You can monitor/capture traffics via the VACL or SPAN command. By default the capture is put into the trunk port so you will capture everything. If you want to capture only certain ports, set up a VACL mapping to different VLANs or SPAN certain ports only. You may also want to prune off the other VLANs from the capture port.

3) Max of 2 IDSM in a switch.

Cisco Employee

Re: IDSM

Small correction. You can place more than 2 IDSMs into a switch.

You can technically place an IDSM into every available slot in the switch (max of 12 IDSMs in a 6513 in other words).

The real issue isn't the max number of IDSMs, but that max number of ways to send traffic to the IDSM.

If you are just using Span, then in general you are limited to 2 Span sessions (therefore 2 IDSMs). NOTE: There are some Span scenarios where more than 2 Spans can be used - reference the Cat 6K Span documentation.

If you are using VACL Capture and have an MSFC that is doing routing, then a single VACL Capture port (one IDSM) has to be used to monitor all of the vlans being routed because of interactions between VACL Capture and the MSFC routing features.

If you are using VACL Capture and do not do routing with the MSFC, then you can have a separate VACL Capture port for every vlan, or have each VACL Capture port monitor a group of Vlans. So in this scenario you could theoretically have 12 different groups of Vlans, and 12 IDSMS in a Cat 6513 with each IDSM monitoring a different vlan group. The limitation is that each vlan group would have to have only about 100Mbps of traffic being captured.

NOTE: In most deployments the IDSM will only be able to monitor packets that travel through the switch on which it is deployed (with either Span or VACL Capture). If you want to monitor packets from other switches then you will have to use Rspan to monitor the packets (only one Rspan session is supported).

New Member

Re: IDSM

i wonder if there is any way to put more than one IDSM with VACL Capture when i am using MSFC for routing. Is it a technical limit?Why can't i do this?

Cisco Employee

Re: IDSM

The sensor needs to see both client packets and server packets to properly construct TCP streams. Without seeing both sides of the connection the sensor can not alarm properly. This is the big issue since the sensor will generate false alarms in some cases and not generate some alarms when there is a real attack.

Also each time a connection is opened, the sensor will keep it in memory until the connection is shutdown or until an internal timer times out. If the sensor sees only half the connection it sometimes can not tell when the connection is shutdown so winds up keeping the connection in memory until the internal timer runs out. This can result in large numbers of closed connections still being tracked in active memory by the sensor and can slow sensor performance.

When the MSFC is involved with VACL Capture, the packets get marked for capture on the Vlan where they leave the switch.

So the client packets get captured on the server vlan, and the server packets get captured on the client vlan.

Therefore, the sensor has to monitor both of the vlans to see the entire session.

Only monitoring one vlan would leave the sensor only monitoring half the session which leads to the problems I described above.

If the MSFC is routing between 20 vlans then the sensor has to monitor all 20 vlans.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/idsm/idsm_2/13074_04.htm#xtocid29

So you could use multiple IDSMs, but for the IDSMs to monitor properly and not experience performance issues each IDSM would have to monitor all the vlans being routed by the MSFC resulting in all the IDSMs seeing the exact same traffic.

Without the MSFC the server vlan and client vlan are the same vlan so when there is no MSFC you can use a separate IDSM for each vlan.

There is one situation where one IDSM monitors with VACL Capture on all the vlans being routed by the MSFC, and second IDSM is deployed but the second IDSM uses Span instead of VACL Capture.

335
Views
0
Helpful
5
Replies