Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Port usage on 6500 IDSM-2 blade

I recently received an IDSM-2 blade for my Cat6K. One setup problem I had was I couldn't find documentation anywhere on how the sensor ports are used. I'm posting this note in the hope it saves someone else some time.

The IDSM-2 blade appears to the 6K to have 8 ports:

Port Name Status Vlan Duplex Speed Type

----- -------------------- ---------- ---------- ------ ----- ------------

6/1 connected trunk full 1000 Intrusion De

6/2 connected 251 full 1000 Intrusion De

6/3 disable 1 full 1000 Intrusion De

6/4 disable 1 full 1000 Intrusion De

6/5 disable 1 full 1000 Intrusion De

6/6 disable 1 full 1000 Intrusion De

6/7 monitor trunk full 1000 Intrusion De

6/8 connected trunk full 1000 Intrusion De

Port x/2 is the command and control port. On the 6K, set this port to a VLAN appropriate to the IP address you give the sensor. Don't use VLAN 1, which is the default. Ports x/7 and x/8 are the sniffing ports. Use either SPAN or VACL to direct traffic to these ports. x/7 is active by default; I'm not sure about x/8. Note that x/7 and x/8 by default have all VLANs set, so they can listen to anything you send them. (You don't really need two sniffer ports; there are two because of the blade's architecture.)

Lastly, I'm told that x/1 is used to send TCP reset packets. Again, it has all VLANs set by default, so it can pick the correct one. This use of x/1 differs from what I heard earlier in the week at Networkers 2003, so I'd appreciate if someone could confirm it.

/Chris Thomas, UCLA

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Port usage on 6500 IDSM-2 blade

Hi Chris,

You are right. Good info.

The CIDS module uses the following 4 IP ports: a command and control port, 2 capture ports and a reset port. c&c interface is on port 2, module has two sniffing ports that are seen by the switch as ports 7 and 8.

Starting version 4.1, the multiple sniffing interface capability will be introduced, so the port 7 and 8 can be actually used to sniff 2 different segments.

Port 1 used for reset, The important point is that the reset port must be assigned to the same vlan as the sniffing port(s) in order to perform the TCP resets.

Thanks,

yatin

1 REPLY
Cisco Employee

Re: Port usage on 6500 IDSM-2 blade

Hi Chris,

You are right. Good info.

The CIDS module uses the following 4 IP ports: a command and control port, 2 capture ports and a reset port. c&c interface is on port 2, module has two sniffing ports that are seen by the switch as ports 7 and 8.

Starting version 4.1, the multiple sniffing interface capability will be introduced, so the port 7 and 8 can be actually used to sniff 2 different segments.

Port 1 used for reset, The important point is that the reset port must be assigned to the same vlan as the sniffing port(s) in order to perform the TCP resets.

Thanks,

yatin

104
Views
5
Helpful
1
Replies
CreatePlease to create content