Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Using IDS in multiple switches environments


We are implementing Cisco IDS in a Pan-European Application Service Provider environment.

We have multiple zones consisting of multiple switches for performance and redundancy.

Is it possible to configure one IDS probe to monitor one zone even though it consists of multiple switches. For example if a zone contains 4 switches for redundancy with multiple VLANs (switches will be trunked) do we need more than one probe or can we configure one to monitor all the switches.

I have been reading up on utilising VACL's and SPAN on Cat 6000 IDSM modules but have not been able to clarify this issue from the documentation. Any suggestions? Is VACL and SPAN functionality available on standalone IDS probes?

Kind regards

Cisco Employee

Re: Using IDS in multiple switches environments

I may be getting in over my head here, but let me give you what I know...

The standalone IDS sensors cannot handle trunk lines, so if you want to span or VACL data to them, you can only do one VLAN per sensor.

The IDSM can handle trunk encoded traffic (the monitor port is configured as an 802.1Q trunk port) up to an aggregate of 100Mbps. One caveat is that the different Vlans that you are trunking need to have non-overlapping IP address ranges. It is my understanding that Remote SPAN (RSPAN) will work to get traffic to an IDSM. However,I am not familiar with configuring RSPAN.

VACLs only operate on the switch on which they are configured, thus if you have a vlan that spans across multiple switches, an IDSM in one switch cannot monitor traffic on the other switch(es) using would either need to SPAN(RSPAN?) the data to the switch with an IDSM, or have mulitple IDSM cards (one in each switch). If you have redunancy in your switches, you may want redundancy in your IDSM modules as well.

To check what traffic the IDSM blade is processing you can add another capture destination port to the destinations list. (set security acl cap )I would make this a Gigabit Ethernet port, not a 10/100 FE port, as the underlying hardware of the IDSM is GE based and it will actually "see" more than just may not be able to process > 100Mbps.

You may want to take this up with the security support folks in the TAC for detailed help.


New Member

Re: Using IDS in multiple switches environments

Have been using the IDSM extensively and impatiently waiting for 3.0 software. I understand this has been delayed due to bugs.

A related question to the above,

Does setting up a span port that is passing high amounts of data cause any performance issues for the switch ?

Does the use of VACLs cause any performance hit on the switch, say about 500MB/s plus

Thanks for your response