topic Re: How to best use IDSM in promiscuous mode? in Network Security

How to best use IDSM in promiscuous mode?

hoffa2000 — Sun, 10 Mar 2019 10:48:05 GMT

Hi folks

I need some input and ideas how to best set up my IDSM2 module.

Today I have the module set up to capture traffic from the 6513 using SPAN in both directions and two different firewalled VLANs as sources. The destination is data-port 1 on the IDSM. This setup is working fine but I'm curious as how to best use the second data-port. Our 6513 runs IOS 12.2(18)SXF3 and has a limit of only one SPAN session set up to capture an entire VLAN in both directions.

My idea was to use the second data-port as SPAN destination for our external/non-firewalled VLAN, but this isn't allowed.

Does anyone have or had a similar problem? Would using a VLAN access list with data-port 2 as destination be an option or are the dual IDSM interfaces mainly used for inline mode?

Regards

Fredrik Hofgren

Re: How to best use IDSM in promiscuous mode?

gmherring — Fri, 21 Sep 2007 13:13:45 GMT

Fredrik,

I am using VACLs in the switch that has the IDSM. This will preserve your SPAN sessions.

You can specify which vlans go to which port on the IDSM.

We actually have our external vlan set up as an inline vlan pair on data port 2.

Re: How to best use IDSM in promiscuous mode?

hoffa2000 — Fri, 21 Sep 2007 14:17:36 GMT

Excellent

Might have a go at that idea with inline vlan pair for the external vlan. You using version 5.1 for the IDSM?

Re: How to best use IDSM in promiscuous mode?

gmherring — Fri, 21 Sep 2007 14:21:03 GMT

I'm on 6.0 I don't remember if 5.x did inline vlan pairs.

Re: How to best use IDSM in promiscuous mode?

hoffa2000 — Fri, 21 Sep 2007 14:24:43 GMT

It does. Will try it next week