Solved: Configuring IDSM in promiscuous mode?

Adrian Caba Gutierrez · ‎05-08-2013

Hello,

I have two switch catalyst 6500 in VSS each with a IDSM module, I want monitor four VLANs three of them are vlans of users and one of servers, I am planning use VACLs to capture the traffic.

My first quetion is how to configure the data ports of IDSM in promiscuous mode, if in the configuration guide say that by default the data ports are in promiscuous mode, so that means that I don't have to make any configuration in the data ports of IDSM?

Second, if I have two switches 6500 in vss each with a IDSM module, I have to consider other configurations for this situation?

The configuration of VACL that I will put is:

ip access-list extended ACL_IPS

permit ip any any

!

vlan access-map VACL_IPS 10

match ip address ACL_IPS

action forward

!

vlan filter VACL_IPS vlan-list 30 , 40 , 50 , 100

!

intrusion-detection switch 1 module 4 data-port 1 capture allowed-vlan 30,40,50,100

intrusion-detection switch 1 module 4 data-port 1 capture

intrusion-detection switch 1 module 4 data-port 1 autostate include

!

intrusion-detection switch 2 module 4 data-port 1 capture allowed-vlan 30,40,50,100

intrusion-detection switch 2 module 4 data-port 1 capture

intrusion-detection switch 2 module 4 data-port 1 autostate include

Thanks for the help.

rhermes · ‎05-14-2013

The IDSM doesn;t need any special commands to inspect traffic in Promiscious mode.

You'll want to put your IDSM management interfaces on a VLAN to talk with them:

intrusion-detection module 4 management-port access-vlan 99

Use the "forward capture" switch:

vlan access-map VACL_IPS 10

match ip address ACL_IPS

action forward capture

Get rid of the spaces between your VLAN numbers

vlan filter VACL_IPS vlan-list 30,40,50,100

If you put two IDSMs in teh same chassis you'll need to decide how to split traffic between them. You can assign different VLANs to each IDSM.

- Bob

View solution in original post

rhermes · ‎05-14-2013

The IDSM doesn;t need any special commands to inspect traffic in Promiscious mode.

You'll want to put your IDSM management interfaces on a VLAN to talk with them:

intrusion-detection module 4 management-port access-vlan 99

Use the "forward capture" switch:

vlan access-map VACL_IPS 10

match ip address ACL_IPS

action forward capture

Get rid of the spaces between your VLAN numbers

vlan filter VACL_IPS vlan-list 30,40,50,100

If you put two IDSMs in teh same chassis you'll need to decide how to split traffic between them. You can assign different VLANs to each IDSM.

- Bob

Adrian Caba Gutierrez · ‎05-14-2013

Hello Rhermes,

In my case every switch 6500 have one IDSM and these switches are in VSS both IDSMs should be in promiscuous mode, my quetion is if I have to take any consideration for this case.

Thanks a lot for the help.

rhermes · ‎05-14-2013

Not that I know of, but since Promiscious mode won;t effect yoru traffic, I;d give this config a try.

Adrian Caba Gutierrez · ‎05-14-2013

Thanks a lot for the help, I will make the configurations and tell you how was it.