We are implementing Cisco IDS in a Pan-European Application Service Provider environment.
We have multiple zones consisting of multiple switches for performance and redundancy.
Is it possible to configure one IDS probe to monitor one zone even though it consists of multiple switches. For example if a zone contains 4 switches for redundancy with multiple VLANs (switches will be trunked) do we need more than one probe or can we configure one to monitor all the switches.
I have been reading up on utilising VACL's and SPAN on Cat 6000 IDSM modules but have not been able to clarify this issue from the documentation. Any suggestions? Is VACL and SPAN functionality available on standalone IDS probes?
I may be getting in over my head here, but let me give you what I know...
The standalone IDS sensors cannot handle trunk lines, so if you want to span or VACL data to them, you can only do one VLAN per sensor.
The IDSM can handle trunk encoded traffic (the monitor port is configured as an 802.1Q trunk port) up to an aggregate of 100Mbps. One caveat is that the different Vlans that you are trunking need to have non-overlapping IP address ranges. It is my understanding that Remote SPAN (RSPAN) will work to get traffic to an IDSM. However,I am not familiar with configuring RSPAN.
VACLs only operate on the switch on which they are configured, thus if you have a vlan that spans across multiple switches, an IDSM in one switch cannot monitor traffic on the other switch(es) using VACLs...you would either need to SPAN(RSPAN?) the data to the switch with an IDSM, or have mulitple IDSM cards (one in each switch). If you have redunancy in your switches, you may want redundancy in your IDSM modules as well.
To check what traffic the IDSM blade is processing you can add another capture destination port to the destinations list. (set security acl cap )I would make this a Gigabit Ethernet port, not a 10/100 FE port, as the underlying hardware of the IDSM is GE based and it will actually "see" more than 100Mbps...it just may not be able to process > 100Mbps.
You may want to take this up with the security support folks in the TAC for detailed help.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...