Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
259
Views
5
Helpful
1
Replies

Port usage on 6500 IDSM-2 blade

Go to solution
csthomas
Level 1
Level 1

‎07-11-2003 10:14 AM - edited ‎03-09-2019 04:00 AM

I recently received an IDSM-2 blade for my Cat6K. One setup problem I had was I couldn't find documentation anywhere on how the sensor ports are used. I'm posting this note in the hope it saves someone else some time.

The IDSM-2 blade appears to the 6K to have 8 ports:

Port Name Status Vlan Duplex Speed Type

----- -------------------- ---------- ---------- ------ ----- ------------

6/1 connected trunk full 1000 Intrusion De

6/2 connected 251 full 1000 Intrusion De

6/3 disable 1 full 1000 Intrusion De

6/4 disable 1 full 1000 Intrusion De

6/5 disable 1 full 1000 Intrusion De

6/6 disable 1 full 1000 Intrusion De

6/7 monitor trunk full 1000 Intrusion De

6/8 connected trunk full 1000 Intrusion De

Port x/2 is the command and control port. On the 6K, set this port to a VLAN appropriate to the IP address you give the sensor. Don't use VLAN 1, which is the default. Ports x/7 and x/8 are the sniffing ports. Use either SPAN or VACL to direct traffic to these ports. x/7 is active by default; I'm not sure about x/8. Note that x/7 and x/8 by default have all VLANs set, so they can listen to anything you send them. (You don't really need two sniffer ports; there are two because of the blade's architecture.)

Lastly, I'm told that x/1 is used to send TCP reset packets. Again, it has all VLANs set by default, so it can pick the correct one. This use of x/1 differs from what I heard earlier in the week at Networkers 2003, so I'd appreciate if someone could confirm it.

/Chris Thomas, UCLA

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ywadhavk
Cisco Employee
Cisco Employee

‎07-11-2003 06:31 PM

Hi Chris,

You are right. Good info.

The CIDS module uses the following 4 IP ports: a command and control port, 2 capture ports and a reset port. c&c interface is on port 2, module has two sniffing ports that are seen by the switch as ports 7 and 8.

Starting version 4.1, the multiple sniffing interface capability will be introduced, so the port 7 and 8 can be actually used to sniff 2 different segments.

Port 1 used for reset, The important point is that the reset port must be assigned to the same vlan as the sniffing port(s) in order to perform the TCP resets.

Thanks,

yatin

View solution in original post

1 Reply 1

Go to solution
ywadhavk
Cisco Employee
Cisco Employee

‎07-11-2003 06:31 PM

Hi Chris,

You are right. Good info.

The CIDS module uses the following 4 IP ports: a command and control port, 2 capture ports and a reset port. c&c interface is on port 2, module has two sniffing ports that are seen by the switch as ports 7 and 8.

Starting version 4.1, the multiple sniffing interface capability will be introduced, so the port 7 and 8 can be actually used to sniff 2 different segments.

Port 1 used for reset, The important point is that the reset port must be assigned to the same vlan as the sniffing port(s) in order to perform the TCP resets.

Thanks,

yatin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents