topic Re: SPAN Configuration for IDSM in Network Security

SPAN Configuration for IDSM

syedaltaf.shah — Sun, 10 Mar 2019 12:19:32 GMT

Dears,

We have IDSM / FWSM running in our 6500 Switch, the FWSM is in transparent mode and for IDSM we configured one SPAN Port.

Right now we have one requirement for SPAN configuration. currently the 6500 with the current SUP has limitation for only 2 SPAN Sessions,

And we are using both, one is for FWSM and the second one for IDSM.

Any one can help and suggest for another option?

Thanks.

Re: SPAN Configuration for IDSM

mikecrowe4ICS_2 — Mon, 11 Apr 2011 01:59:52 GMT

When running a FWSM in a 6500, you don't need to use a SPAN session to send traffic to the FWSM. To send traffic through the FWSM, use the "firewall" set of commands in the 6500 switch configuration.

I recommend reading the section "Assigning VLANs to the Firewall Services Module" from the FWSM 4.1 Configuration Guide:

http://www.cisco.com/en/US/customer/docs/security/fwsm/fwsm41/configuration/guide/switch_f.html#wp1175820

There's also an example of these commands in the "FWSM Basic Configuration Example" here:

http://www.cisco.com/en/US/customer/products/hw/modules/ps2706/products_configuration_example09186a00808b4d9f.shtml#sw

A similar command exists for the IDSM ("intrusion-detection module"), for use in certain configurations. You can read more here, in the "Configuring IDSM-2" section of the IPS 6.1 Configuration Guide for CLI:

http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_idsm2.html#wp1030828

If nothing else, using these commands could free up the 2 available SPAN sessions for other use (such as a NAM module).

Re: SPAN Configuration for IDSM

syedaltaf.shah — Mon, 11 Apr 2011 04:46:41 GMT

Hi Michael,

Thanks for prompt reply.

The configuration iam looking is for IDSM, FWSM already configured.

we have two options to configure IDSM in 6500, SPAN and VACL Capture.

Is there any third option available for IDSM configuration? we need one span session for some Monitoring tool, and there are already 2 session in the sup configured.

Re: SPAN Configuration for IDSM

mikecrowe4ICS_2 — Mon, 11 Apr 2011 05:57:11 GMT

FWSM already configured.

...

we need one span session for some Monitoring tool, and there are already 2 session in the sup configured.

~~Actually, that's why I mentioned the FWSM configuration. You don't need to use SPAN in conjuntion with the FWSM. In fact, I've never seen it used that way.~~

My apologies, I didn't realize the FWSM is automatically using a SPAN session, which isn't listed in the config. Well, you won't need SPAN for the IDSM, at least for most configurations.

we have two options to configure IDSM in 6500, SPAN and VACL Capture.

Is there any third option available for IDSM configuration?

You can see the supported configurations for the IDSM-2 in the "Configuring IDSM-2" section of the IPS Configuration Guide for CLI, found here:

http://www.cisco.com/en/US/customer/docs/security/ips/7.0/configuration/guide/cli/cli_idsm2.html#wp1030694

The options include:

SPAN
VACL Capture
EtherChannel Load Balancing (ECLB) with VACL Capture
Inline Interface Pairs
ECLB with Inline Interface Pairs
Inline VLAN Pairs
ECLB with Inline VLAN Pairs

Are you looking to put the IPS/IDS in "inline" mode? Or would you like to keep it as promiscuous only?

Message was edited by: Michael Crowe

Re: SPAN Configuration for IDSM

syedaltaf.shah — Mon, 11 Apr 2011 06:11:08 GMT

Hi Michael,

IDSM is in promiscuous mode. we do not want to put it inline.

Re: SPAN Configuration for IDSM

mikecrowe4ICS_2 — Mon, 11 Apr 2011 06:32:15 GMT

Then you will want to use a VACL capture. The procedure can be found here:

http://www.cisco.com/en/US/customer/docs/security/ips/7.0/configuration/guide/cli/cli_idsm2.html#wp1030828

Hope that helps.