cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
881
Views
0
Helpful
5
Replies
Beginner

SPAN Configuration for IDSM

Dears,

We have IDSM / FWSM running in our 6500 Switch, the FWSM is in transparent mode and for IDSM we configured one SPAN Port.

Right now we have one requirement for SPAN configuration. currently the 6500 with the current SUP has limitation for only 2 SPAN Sessions,

And we are using both, one is for FWSM and the second one for IDSM.

Any one can help and suggest for another option?

Thanks.

Everyone's tags (3)
5 REPLIES 5
Highlighted

Re: SPAN Configuration for IDSM

When running a FWSM in a 6500, you don't need to use a SPAN session to send traffic to the FWSM.  To send traffic through the FWSM, use the "firewall" set of commands in the 6500 switch configuration.

I recommend reading the section "Assigning VLANs to the Firewall Services Module" from the FWSM 4.1 Configuration Guide:

http://www.cisco.com/en/US/customer/docs/security/fwsm/fwsm41/configuration/guide/switch_f.html#wp1175820

There's also an example of these commands in the "FWSM Basic Configuration Example" here:

http://www.cisco.com/en/US/customer/products/hw/modules/ps2706/products_configuration_example09186a00808b4d9f.shtml#sw

A similar command exists for the IDSM ("intrusion-detection module"), for use in certain configurations.  You can read more here, in the "Configuring IDSM-2" section of the IPS 6.1 Configuration Guide for CLI:

http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_idsm2.html#wp1030828

If nothing else, using these commands could free up the 2 available SPAN sessions for other use (such as a NAM module).

Highlighted
Beginner

Re: SPAN Configuration for IDSM

Hi Michael,

Thanks for prompt reply.

The configuration iam looking is for IDSM, FWSM already configured.

we have two options to configure IDSM in 6500, SPAN and VACL Capture.

Is there any third option available for IDSM configuration? we need one span session for some Monitoring tool, and there are already 2 session in the sup configured.

Highlighted

Re: SPAN Configuration for IDSM

FWSM already configured.

...

we need one span session for some Monitoring tool, and there are already 2 session in the sup configured.

Actually, that's why I mentioned the FWSM configuration.  You don't need to use SPAN in conjuntion with the FWSM.  In fact, I've never seen it used that way.

My apologies, I didn't realize the FWSM is automatically using a SPAN session, which isn't listed in the config.  Well, you won't need SPAN for the IDSM, at least for most configurations.

we have two options to configure IDSM in 6500, SPAN and VACL Capture.

Is there any third option available for IDSM configuration?

You can see the supported configurations for the IDSM-2 in the "Configuring IDSM-2" section of the IPS Configuration Guide for CLI, found here:

http://www.cisco.com/en/US/customer/docs/security/ips/7.0/configuration/guide/cli/cli_idsm2.html#wp1030694

The options include:

  • SPAN
  • VACL Capture
  • EtherChannel Load Balancing (ECLB) with VACL Capture
  • Inline Interface Pairs
  • ECLB with Inline Interface Pairs
  • Inline VLAN Pairs
  • ECLB with Inline VLAN Pairs

Are you looking to put the IPS/IDS in "inline" mode?  Or would you like to keep it as promiscuous only?

Message was edited by: Michael Crowe

Highlighted
Beginner

Re: SPAN Configuration for IDSM

Hi Michael,

IDSM is in promiscuous  mode. we do not want to put it inline.

Highlighted

Re: SPAN Configuration for IDSM

Then you will want to use a VACL capture.  The procedure can be found here:

http://www.cisco.com/en/US/customer/docs/security/ips/7.0/configuration/guide/cli/cli_idsm2.html#wp1030828

Hope that helps.

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here