https://community.cisco.com/t5/network-security/idsm/m-p/1114013#M79106 <HTML><HEAD></HEAD><BODY><P>The intrusion detection module is connected to the switch back plane via a 'hidden' link. Which can be seen by show ether channel tough. The IDSM in total has 8 ports. In your configuration the management/command&amp;control port belongs to VLAN 333 (this is port gig 0/1 on the IDSM I think). This port is represented by 'management-port' in the IDSM config.</P><P></P><P>Ports gig x/7 and gig x/8 are the two 'sensing' ports. These are represented by 'data-port' 1 and 2 in the IDSM config. In you case all data from some interface(s)/vlan(s) is being sent to the 'first' sensing port of the IDSM. So in short you are using promiscuous mode. For more details on what traffic is being sent, have a look at the 'show monitor session' command.</P><P></P><P>Please rate if helpful.</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Fri, 22 Aug 2008 02:14:19 GMT Farrukh Haroon 2008-08-22T02:14:19Z https://community.cisco.com/t5/network-security/idsm/m-p/1114008#M79101 <P>Which command on IDSM is used to check if the device is running on inline or promiscous mode?</P> Sun, 10 Mar 2019 11:15:24 GMT https://community.cisco.com/t5/network-security/idsm/m-p/1114008#M79101 aksher 2019-03-10T11:15:24Z https://community.cisco.com/t5/network-security/idsm/m-p/1114009#M79102 <HTML><HEAD></HEAD><BODY><P>You can see this both from the Cataylyst Switch configuration and the IDS itself. </P><P></P><P>In the 6500 switch if its inline VLAN pair you will form a trunk to the IDSM like this:</P><P></P><P>intrusion-detection port-channel 5 trunk allowed-vlan 130,140</P><P></P><P>If it is Inline Phyiscal interfae you will see something like:</P><P></P><P>intrusion-detection module 4 data-port 1 access-vlan</P><P></P><P>In case of promiscious you will have SPAN/capture configuration.</P><P></P><P>On the IDS cli you can see it via CLI:</P><P></P><P>physical-interfaces GigabitEthernet0/8 </P><P>subinterface-type inline-vlan-pair</P><P>subinterface 7 </P><P>vlan1 160</P><P>vlan2 760</P><P></P><P>This is an example of Inline VLAN Pair.</P><P></P><P>Regards</P><P></P><P>Farrukh</P><P></P></BODY></HTML> Wed, 20 Aug 2008 06:38:40 GMT https://community.cisco.com/t5/network-security/idsm/m-p/1114009#M79102 Farrukh Haroon 2008-08-20T06:38:40Z https://community.cisco.com/t5/network-security/idsm/m-p/1114010#M79103 <HTML><HEAD></HEAD><BODY><P>I can see </P><P>inline-interfaces test </P><P>no description</P><P>interface1 GigabitEthernet0/7</P><P>interface2 GigabitEthernet0/8</P><P>on CLI of IDSM which means it's in inline VLAN pair but however i can also see SPAN through monitor commands which means it's in promiscous mode. Which is correct?</P><P></P></BODY></HTML> Wed, 20 Aug 2008 20:10:11 GMT https://community.cisco.com/t5/network-security/idsm/m-p/1114010#M79103 aksher 2008-08-20T20:10:11Z https://community.cisco.com/t5/network-security/idsm/m-p/1114011#M79104 <HTML><HEAD></HEAD><BODY><P>No you IDS seems to be in 'Inline Interface Pair' mode and not Inline VLAN pair mode and definitely not in promiscuous mode. Those span settings must be for something else on the switch. </P><P></P><P>In IDM &gt;&gt; Virtual Sensor Configurationyou sill see it spelled out pretty clearly.</P><P></P><P>If possible post 'show run | inc intrusion' from your core switch.</P><P></P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Thu, 21 Aug 2008 01:36:24 GMT https://community.cisco.com/t5/network-security/idsm/m-p/1114011#M79104 Farrukh Haroon 2008-08-21T01:36:24Z https://community.cisco.com/t5/network-security/idsm/m-p/1114012#M79105 <HTML><HEAD></HEAD><BODY><P>Thanks Farrukh! I am sending the output here,</P><P></P><P>sh run | i intrusion</P><P>intrusion-detection module 2 management-port access-vlan 333</P><P>intrusion-detection module 2 data-port 1 autostate include</P><P>intrusion-detection module 2 data-port 1 portfast enable</P><P>monitor session 2 destination intrusion-detection-module 2 data-port 1</P><P></P><P>Also it would be great if you explain the over all stuff in quick reference style:)</P><P></P><P></P></BODY></HTML> Thu, 21 Aug 2008 22:23:31 GMT https://community.cisco.com/t5/network-security/idsm/m-p/1114012#M79105 aksher 2008-08-21T22:23:31Z https://community.cisco.com/t5/network-security/idsm/m-p/1114013#M79106 <HTML><HEAD></HEAD><BODY><P>The intrusion detection module is connected to the switch back plane via a 'hidden' link. Which can be seen by show ether channel tough. The IDSM in total has 8 ports. In your configuration the management/command&amp;control port belongs to VLAN 333 (this is port gig 0/1 on the IDSM I think). This port is represented by 'management-port' in the IDSM config.</P><P></P><P>Ports gig x/7 and gig x/8 are the two 'sensing' ports. These are represented by 'data-port' 1 and 2 in the IDSM config. In you case all data from some interface(s)/vlan(s) is being sent to the 'first' sensing port of the IDSM. So in short you are using promiscuous mode. For more details on what traffic is being sent, have a look at the 'show monitor session' command.</P><P></P><P>Please rate if helpful.</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Fri, 22 Aug 2008 02:14:19 GMT https://community.cisco.com/t5/network-security/idsm/m-p/1114013#M79106 Farrukh Haroon 2008-08-22T02:14:19Z