I have just added a 6381 IDSM module to my existing IDS system. The 6509 where it resides includes an MSFC2 and PFC2. This switch is being installed as the center piece of a new campus backbone. I intend to run multiple VLANs accross multiple buildings via fiber trunks.
With the above information in mind, does someone out there with experience have an opinion regarding VACL vs SPAN for capturing packets for the IDSM?
I don't have very much exprience with VACL's, but I have had a lot of success with my IDSM blades on my 6500's by spanning the vlans. The command is: set span <(vlan)23,24,25> .One problem that I did run accross spanning vlans is if you include a shutdown vlan the span will not work for any of the vlans. With the IDSM modules you will want to span the vlans to the virtual port on the backplane. For example the IDSM will set up two virtual ports on the backplane of a 6509 and the IDSM is in the 9th slot, 9/1 would be the port the vlans are piped to, and 9/2 will be your management port for the blade. This will give you the ability to monitor between 170-190 Mbps of traffic.
A great source of informatin on the IDSM and CSPM is the Cisco Press book Cisco Secure Intrusion Detection System by Earl Carter.
Both VACL and SPAN have their pros and cons. Which to use is a decision you'll have to make in light of your needs. I've used both and listed some of the pros/cons that I've run across.
- finer control of which packet streams are being inspected.
- can use multiple, different VACL statements on differnt VLANS. You are restricted to one VACL per VLAN, but can tailor each VACL to each VLAN
- large number of capture output ports...easy to implement redundancy..good for testing.
- only one capture port list...all ports get all the traffic from all capture VACLs. Have to use native VLAN coloring/trunk filtering to parse traffic when load sharing across multiple IDSM modules
- in the presence of an MSFC doing routing, getting the VACLs correct to capture both directions of a full duplex connection can be difficult (mind-bending). One key idea is that VACLs conceptually apply on "egress".
- ACL syntax means you have all the hangups of entering and maintaining ACLs
- simple, easy-to-understand context and syntax
- easy to track and maintain (don't have to synthesize the state from 2 or 3 config lines)
- rare resource...Cat6K w/ CatOS have 2 full duplex or 4 uni-direction spans available.
- Bandwidth doubling affecting performance of span and IDS. When you span multiple VLANs in the presence of a router, you have the potential for getting double packets spanned. Consider if you have VLAN 23 and 25 spanned; a packet originating on vlan 23 gets copied for span, the original packet gets routed to vlan25, the routed packet gets copied for span again on vlan 25.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :