Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1177
Views
0
Helpful
3
Replies

How to set IDSM-2 promiscuous mode?

Will.Watson
Level 1
Level 1

‎10-28-2011 08:28 AM - edited ‎03-10-2019 05:31 AM

Hello,

Can anyone help me setup my IDSM blade in promiscuous mode. I would like it to monitor three VLANs 10,20,25 so I can see how much traffic goes across them and what it picks up. Once I have everything setup I would then want to switch it to inline mode. Can anyone provide me with the commands I will need to add to the configuration on the 6500 and what I would need to add to the IDSM-2 setup.

Thank You in advance,

Will

Labels:
0 Helpful
3 Replies 3

rhermes
Level 7
Level 7

‎10-28-2011 08:01 PM

Will -

To send traffic to yoru IDSM you configure it on the 6500 chassis.

You can set up promiscious monitoring via the "span" command, but you are only allowed two span destionation on your entire 6500, this sometimes causes contention with other folks who want some span capicity for sniffers and such. As an alternative you can also use VACL capture. You should not configure an IDSM2 data port as both  a SPAN destination port and a VACL capture port, because the IDSM2 will  not receive traffic. This dual configuration (SPAN and VACL) causes  problems on the switch and traffic is not sent properly. Ports 7 and 8 (GigabitEthernet0/7 and GigabitEthernet0/8) are the monitoring ports on the IDSM.

. Below are the span instructions

from

http://www.cisco.com/en/US/partner/docs/security/ips/6.1/configuration/guide/cli/cli_idsm2.html#wp1206645

Step 1 Log in to the console.

Step 2 Enter global configuration mode. 

router# configure terminal

Step 3 Set the source interfaces for the monitor session. 

router(config)# monitor session (session_number) source interface interface/port_number 
[, | - | rx | tx | both]

Example 

router(config)# monitor session 1 source interface GigabitEthernet2/23 both

Step 4 Enable an IDSM2 data port as a SPAN destination. 

router(config)# monitor session (session_number) destination intrusion-detection-module 
module_number data-port data_port_number

Example 

router(config)# monitor session 1 destination intrusion-detection-module 9 data-port 1

Step 5 Make sure autostate is included for the data port. 

router(config)# intrusion-detection module module_number data-port data_port_number 
autostate include

Example 

router(config)# intrusion-detection module 9 data-port 1 autostate include

This allows the switch virtual interface to stay up if the data port is the only port in the VLAN. The default is no include.

Step 6 (Optional) Enable PortFast for the data port. 

router(config)# intrusion-detection module module_number data-port data_port_number 
portfast

Example 

router(config)# intrusion-detection module 9 data-port 1 portfast

The default is disabled.

Step 7 (Optional) To disable the monitor session. 

router(config)# no monitor session session_number

Step 8 (Optional) To filter the SPAN session so that only certain VLANs are seen from switch port trunks. 

router(config)# monitor session (session_number) {filter vlan {vlan_ID} [, | - ]}

Example 

router(config)# monitor session 1 filter vlan 146

Step 9 Exit configuration mode. 

router(config)# exit

Step 10 To show current monitor sessions: 

router# show monitor session session_number

Example 

router# show monitor session 1


    Session 1


    ---------


    Type                   : Local Session


    Source Ports           : 


        Both               : Gi2/23


    Destination Ports      : intrusion-detection-module 9 data-port 1

- Bob

0 Helpful

Will.Watson
Level 1
Level 1
In response to rhermes

‎11-01-2011 09:09 AM

Bob -

Thanks for the reply.

I was reviewing the commands you gave me and had a question. For my situation with needing the three VLANs (10,20,25) as sources and the IDSM is in slot 9, can I put the following configuration into my 6500?

monitor session 1 source interface vlan 10,20,25

monitor session 1 destination intrusion-detection-module 9 data-port 1

intrusion-detection module 9 data-port 1 autostate include

or can I only have one source VLAN per data port and 
need to break it up like below, and only monitor 2 of the 3 VLANs?

monitor session 1 source interface vlan 10

monitor session 1 destination intrusion-detection-module 9 data-port 1

intrusion-detection module 9 data-port 1 autostate include

monitor session 2 source interface vlan 20

monitor session 2 destination intrusion-detection-module 9 data-port 2

intrusion-detection module 9 data-port 2 autostate include

Please let me know if either of these would be correct, or if I need to do something else entirely.

Thanks

Will

0 Helpful

rhermes
Level 7
Level 7
In response to Will.Watson

‎11-01-2011 09:35 AM

Will -

You can specify multpile vlans on teh same source line. Comma seperate indivual vlans, dash seperate ranges:

monitor session 1 source interface vlan 10,20,25-35

Your destinaion data-port might be 7 instead of 1 shown in the example. Ports 7 and 8 (GigabitEthernet0/7 and GigabitEthernet0/8) are the monitoring ports.

- Bob

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card