Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
248
Views
0
Helpful
1
Replies

VLAN support on IDS-4250 or IDS-4250XL?

Go to solution
pavlosd
Level 2
Level 2

‎03-05-2004 11:31 PM - edited ‎03-09-2019 06:39 AM

Hi,

I am currently investigating for buying an IDS solution. One of the major concerns I have is the ability to monitor multiple VLANS (Interfaces) and throughput.

I was looking through the specifications of IDS-4250 and IDS-4250XL. the XL version has greater throughput than 4250. What confused me is that the XL version takes only one additional interface (1000Base-SX) while the standard version gives you the ability of both 1000Base-SX and 4port FE.

Now, my question is, is it possible on the 2 particular appliances to configure the monitoring interface to monitor multiple VLANS (with the help of a trunk), if all VLANS are connected on a Switch? Unfortunately buying an IDS module for 6500 is out of question since no available 6500 switch is available currently.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎03-08-2004 10:58 AM

The IDS-4250-TX-K9 (aka IDS-4250) is the base chassis to which a single PCI card can be added (IDS-XL-INT=, IDS-4250-SX-INT=, IDS-4FE-INT=).

If the IDS-XL-INT= (aka XL card) is added to the IDS-4250 then the sensor becomes a IDS-4250-XL-K9 (aka IDS-4250-XL).

NOTE: The IDS-4250-XL is not a separate base chassis, instead it is the same IDS-4250-TX-K9 with the IDS-XL-INT= already installed by manufacturing.

The XL card has 2 fiber Gig interfaces with MTRJ style connectors for SX fiber.

The XL card adds hardware acceleration to the 2 fiber Gig interfaces (increases performance to 1 Gig monitoring capability).

However, there is a limitation that with the XL card only the 2 fiber interfaces of the XL card can be used for monitoring.

If the IDS-4250-SX-INT= (aka SX card) is added to the IDS-4250 then the sensor becomes a IDS-4250-SX-K9 (aka IDS-4250-SX).

The SX card has a single fiber Gig interface with SC style connector for the SX interface.

With the IDS-4250-SX the user can sniff off both the SX interface of the card as well as the standard onboard sniffing TX Gig interface giving a total of 2 sniffing interfaces.

If the IDS-4FE-INT= (aka 4FE card) is added to the IDS-4250 then there has not been a specific sensor name created (though I generally call it a IDS-4250-4FE)

The 4FE card has a 4 10/100 TX interfaces

With the IDS-4250 and a 4FE card the user can sniff off both the 4 10/100 TX interfaces of the card as well as the standard onboard sniffing TX Gig interface giving a total of 5 sniffing interfaces.

NOTE: Any ONE of the 3 PCI cards can be placed in the IDS-4250. The IDS-4250 has 2 PCI slots, BUT Cisco ONLY supports placing a card in ONE of the 2 slots. So users can not put 2 XL cards, or 2 SX cards, or 2 4FE cards, or a mix of 2 different types of cards. (This may change in a future version).

So a quick breakdown of what I've said:

IDS-4250-TX-K9:

1 Gig TX interface

500 MBPS performance

IDS-4250-TX-K9 + IDS-4FE-INT=:

1 Gig TX interface + 4 FE TX interfaces

500 MBPS performance

IDS-4250-TX-K9 + IDS-4250-SX-INT=:

(IDS-4250-SX-K9)

1 Gig TX interface + 1 Gig SX interface (SC connector)

500 MBPS performance

IDS-4250-TX-K9 + IDS-XL-INT=:

(IDS-4250-XL-K9)

2 Gig SX interfaces with hardware acceleration (MTRJ connectors)

1 GBPS performance

NOTE: Performance is not per port, but is rather aggregate performance of the chassis when combining input on all sniffing ports.

As for the question about trunking.

The IDS software supports 802.1q trunk monitoring on ALL of the interfaces. You don't have to worry about buying a particular sensor model for trunking.

You need to determine your sensor model (and extra PCI card) based on the physical connection and sensor performance required:

How:

On the switch itself hard code the port to be a 802.1q trunk port and force the trunking to be turned on. (This has to be hardcoded on the switch because there is not negotiation messaging with the sensor).

In Cat OS on the 6500 switch an example would be:

set trunk 6/1 on dot1q

Now set up the trunk port to only trunk the vlans you are interested in monitoring.

In Cat OS on the 6500 switch an example would be:

set trunk 6/1 1-100

clear trunk 6/1 101-1005,1025-4094

Now you need to use either SPAN or VACL Capture to send packets to the trunk port.

In Cat OS on the 6500 switch an example would be:

set span 1-100 6/1

NOTE: Setting the port as a trunk port is not enough to get the packets sent to the sensor. You still need to use SPAN or VACL Capture on top of the trunk port to get the packets to the sensor for monitoring.

If you are not using the 6500 then, of course, the commands on your switch may be different. And in some cases the above commands may all be combined into a single command on your switch so refer to your switch'es documentation.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎03-08-2004 10:58 AM

The IDS-4250-TX-K9 (aka IDS-4250) is the base chassis to which a single PCI card can be added (IDS-XL-INT=, IDS-4250-SX-INT=, IDS-4FE-INT=).

If the IDS-XL-INT= (aka XL card) is added to the IDS-4250 then the sensor becomes a IDS-4250-XL-K9 (aka IDS-4250-XL).

NOTE: The IDS-4250-XL is not a separate base chassis, instead it is the same IDS-4250-TX-K9 with the IDS-XL-INT= already installed by manufacturing.

The XL card has 2 fiber Gig interfaces with MTRJ style connectors for SX fiber.

The XL card adds hardware acceleration to the 2 fiber Gig interfaces (increases performance to 1 Gig monitoring capability).

However, there is a limitation that with the XL card only the 2 fiber interfaces of the XL card can be used for monitoring.

If the IDS-4250-SX-INT= (aka SX card) is added to the IDS-4250 then the sensor becomes a IDS-4250-SX-K9 (aka IDS-4250-SX).

The SX card has a single fiber Gig interface with SC style connector for the SX interface.

With the IDS-4250-SX the user can sniff off both the SX interface of the card as well as the standard onboard sniffing TX Gig interface giving a total of 2 sniffing interfaces.

If the IDS-4FE-INT= (aka 4FE card) is added to the IDS-4250 then there has not been a specific sensor name created (though I generally call it a IDS-4250-4FE)

The 4FE card has a 4 10/100 TX interfaces

With the IDS-4250 and a 4FE card the user can sniff off both the 4 10/100 TX interfaces of the card as well as the standard onboard sniffing TX Gig interface giving a total of 5 sniffing interfaces.

NOTE: Any ONE of the 3 PCI cards can be placed in the IDS-4250. The IDS-4250 has 2 PCI slots, BUT Cisco ONLY supports placing a card in ONE of the 2 slots. So users can not put 2 XL cards, or 2 SX cards, or 2 4FE cards, or a mix of 2 different types of cards. (This may change in a future version).

So a quick breakdown of what I've said:

IDS-4250-TX-K9:

1 Gig TX interface

500 MBPS performance

IDS-4250-TX-K9 + IDS-4FE-INT=:

1 Gig TX interface + 4 FE TX interfaces

500 MBPS performance

IDS-4250-TX-K9 + IDS-4250-SX-INT=:

(IDS-4250-SX-K9)

1 Gig TX interface + 1 Gig SX interface (SC connector)

500 MBPS performance

IDS-4250-TX-K9 + IDS-XL-INT=:

(IDS-4250-XL-K9)

2 Gig SX interfaces with hardware acceleration (MTRJ connectors)

1 GBPS performance

NOTE: Performance is not per port, but is rather aggregate performance of the chassis when combining input on all sniffing ports.

As for the question about trunking.

The IDS software supports 802.1q trunk monitoring on ALL of the interfaces. You don't have to worry about buying a particular sensor model for trunking.

You need to determine your sensor model (and extra PCI card) based on the physical connection and sensor performance required:

How:

On the switch itself hard code the port to be a 802.1q trunk port and force the trunking to be turned on. (This has to be hardcoded on the switch because there is not negotiation messaging with the sensor).

In Cat OS on the 6500 switch an example would be:

set trunk 6/1 on dot1q

Now set up the trunk port to only trunk the vlans you are interested in monitoring.

In Cat OS on the 6500 switch an example would be:

set trunk 6/1 1-100

clear trunk 6/1 101-1005,1025-4094

Now you need to use either SPAN or VACL Capture to send packets to the trunk port.

In Cat OS on the 6500 switch an example would be:

set span 1-100 6/1

NOTE: Setting the port as a trunk port is not enough to get the packets sent to the sensor. You still need to use SPAN or VACL Capture on top of the trunk port to get the packets to the sensor for monitoring.

If you are not using the 6500 then, of course, the commands on your switch may be different. And in some cases the above commands may all be combined into a single command on your switch so refer to your switch'es documentation.

0 Helpful
Customers Also Viewed These Support Documents