topic Re: Configuring IDSM in promiscuous mode? in Network Security

Configuring IDSM in promiscuous mode?

Adrian Caba Gutierrez — Sun, 10 Mar 2019 12:57:33 GMT

Hello,

I have two switch catalyst 6500 in VSS each with a IDSM module, I want monitor four VLANs three of them are vlans of users and one of servers, I am planning use VACLs to capture the traffic.

My first quetion is how to configure the data ports of IDSM in promiscuous mode, if in the configuration guide say that by default the data ports are in promiscuous mode, so that means that I don't have to make any configuration in the data ports of IDSM?

Second, if I have two switches 6500 in vss each with a IDSM module, I have to consider other configurations for this situation?

The configuration of VACL that I will put is:

ip access-list extended ACL_IPS

permit ip any any

vlan access-map VACL_IPS 10

match ip address ACL_IPS

action forward

vlan filter VACL_IPS vlan-list 30 , 40 , 50 , 100

intrusion-detection switch 1 module 4 data-port 1 capture allowed-vlan 30,40,50,100

intrusion-detection switch 1 module 4 data-port 1 capture

intrusion-detection switch 1 module 4 data-port 1 autostate include

intrusion-detection switch 2 module 4 data-port 1 capture allowed-vlan 30,40,50,100

intrusion-detection switch 2 module 4 data-port 1 capture

intrusion-detection switch 2 module 4 data-port 1 autostate include

Thanks for the help.

Configuring IDSM in promiscuous mode?

rhermes — Tue, 14 May 2013 19:24:33 GMT

The IDSM doesn;t need any special commands to inspect traffic in Promiscious mode.

You'll want to put your IDSM management interfaces on a VLAN to talk with them:

intrusion-detection module 4 management-port access-vlan 99

Use the "forward capture" switch:

vlan access-map VACL_IPS 10

match ip address ACL_IPS

action forward capture

Get rid of the spaces between your VLAN numbers

vlan filter VACL_IPS vlan-list 30,40,50,100

If you put two IDSMs in teh same chassis you'll need to decide how to split traffic between them. You can assign different VLANs to each IDSM.

- Bob

Re: Configuring IDSM in promiscuous mode?

Adrian Caba Gutierrez — Tue, 14 May 2013 20:06:08 GMT

Hello Rhermes,

In my case every switch 6500 have one IDSM and these switches are in VSS both IDSMs should be in promiscuous mode, my quetion is if I have to take any consideration for this case.

Thanks a lot for the help.

Re: Configuring IDSM in promiscuous mode?

rhermes — Tue, 14 May 2013 20:23:38 GMT

Not that I know of, but since Promiscious mode won;t effect yoru traffic, I;d give this config a try.

Re: Configuring IDSM in promiscuous mode?

Adrian Caba Gutierrez — Tue, 14 May 2013 21:14:09 GMT

Thanks a lot for the help, I will make the configurations and tell you how was it.