Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

some problem about idsm and cspm

Hello,

We have two cat 6509. The 6509 connect through trunk.Each 6509 has a idsm module in slot 6, the idsm communite with cspm. problem:

1 command : show port 6/1 display the trunk's speed is 1000M .I want to know how many packet a idsm can process? Is it can process 1000Mb/sec?

2 How many vlan traffic can span to port 6/1 ?(no span a trunk port to 6/1)When I use span command,I can only span one vlan traffic to port6/1?

3 The idsm and the cspm software can configure to block intrusion automatic?

1 REPLY
Cisco Employee

Re: some problem about idsm and cspm

1 command : show port 6/1 display the trunk's speed is 1000M .I want to know how many packet a idsm can process? Is it can process 1000Mb/sec?

The "show port 6/1" command correctly displays the port speed as 1000M.

The port is a Gigabit Ethernet port, but the IDS software on the IDSM has a general monitoring capability of about 100Mbps. When planning an IDSM deployment you should plan for about 100Mbps of performance from the IDSM.

The IDSM was built with a Gig port, so that way the hardware would not be the limiting factor.

NOTE: In some cases the IDSM has been able to monitor much higher levels of traffic depending on the type of traffic you have, and what alarms have been turned on in the IDS software configuration.

2 How many vlan traffic can span to port 6/1 ?(no span a trunk port to 6/1)When I use span command,I can only span one vlan traffic to port6/1?

The limitation should not be on the number of vlans, but rather all the traffic from the spanned vlans should be less than 100Mbps.

So if one vlan has 105 Mbps, then the IDSM should only be configured to monitor that one vlan. BUT if you have 50 vlans, and each vlan only has 2 Mbps, then the aggregate is only 100Mbps and can be monitored by the IDSM.

You should not be receiving any errors when configuring the span.

NOTE: When configuring a span session for more than one vlan, be sure to spann all of the vlans within the same span command. If you try spanning one vlan per command, then only the last span command is active because it removes the previous span commands.

For example:

The following commands result in ONLY vlan 4 being spanned, because it is the last command:

set span 1 6/1

set span 2 6/1

set span 3 6/1

set span 4 6/1

However, the following command configures all 4 vlans to be spanned to 6/1:

set span 1,2,3,4 6/1

3 The idsm and the cspm software can configure to block intrusion automatic?

Yes,

The later versions of IDSM have the ability to telnet to the switch itself and create a Vlan ACL which will deny the source address of the alarm (or telnet to a router and create a Router ACL to deny the source address of the alarm).

This feature was added in the 3.0 version if I remember right, so be sure to be running the latest version if you try to configure this.

CSPM shoudl support the configuration of this feature on the IDSM.

NOTE: IDSM does support the blocking feature described above (which is also known as the shun feature), but it does NOT support the TCP Reset feature which is used to shutdown a single TCP connection.

Only the appliance sensors support both block and TCP reset features.

75
Views
0
Helpful
1
Replies
CreatePlease to create content