I am trying to setup an IDS Sensor for monitoring VLANs on a Catalyst 6513 Switch running CATOS 12.1(19) GD (I think). The most logical solution seems to be setup a bi-directional SPAN session (Rx & Tx) with all the source ports sending to the sensor on a destination port. However, my dilema is that everything I'm being told is that the 6513 is limited to 2 Full Span sessions. We already have the NAM blade installed so that takes 1 SPAN session. We were contemplating going with the CISCO IDSM blade, and that would take a SPAN session as well. So with those 2 SPAN sessions gone, how would one go about performing network analysis, running sniffers etc? It just seems a little "off" to me that the 6513, one of the flagship switches offered by Cisco, would be limited to 2 full SPAN sessions. I would think that the blade itself, like the NAM or IDSM blade would be able to manage it's own SPAN session, completely independent of the chassis.
Can anyone shed some light on this for me? Maybe even provide a workable solution for monitoring VLANs on a 6513?
2 full span sessions (Rx & Tx) are indeed the limit in CatOS. Or you can have 4 half spans (TX or RX only). Have you investigated using VACLs (Vlan ACLs) with the "capture" keyword. We use them for getting IDS traffic all the time and they generally work fine. There are some peculiarities with using VACLs if you are also routing on the switch with an MSFC in the supervisor. It lies in what VLAN packets are tagged as being on when captured. VACLs would probably also work for the NAM as well.
Here are some links to help you understand VACL Capture as well as Span. I'm not certain what switch software you're running. 12.1(19) is an IOS (not CatOS version). So, I'll provide links for CatOS and IOS.
Note: I don't see a link for IOS 12.1(19)E. I'll provide links to IOS 12.1E in the meantime.
***** VACL capture *****
Here are links to description of the VACL (VLAN ACL) feature: (links for CatOS and Native IOS)
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...