IDS Addressing /VLAN issue

rschwendeman · ‎12-01-2005

We have an IDS ver 4.1 in a cat 6k, and initially addressed it in a lab in vlan 1 as such:

vlan 1: 161.220.60.1 /24

IDS: 161.220.60.10 /24

the IDS gateway is Vlan 1 ip.

this has worked fine, able to ping and telnet btw. the 6k and the IDS. but in getting ready for deployment, we have decided that we would rather not use vlan 1, and created a new vlan for our IDS and NAM, say VLAN 100. we removed the addressing from VLAN 1 and shut it down. Addressed VLAN 100 in the say way, but now no longer to even ping the IDS from the cat 6k. I even added a static route:

ip route 161.220.60.10 255.255.255.255. vlan 100

still unable to ping the IDS. It seems that the vlan 1 info is cached in some way, preventing any access through the new vlan 100. we cleared the arp, is there anything else that needs cleared so the IDS can be part of vlan 100 as it was in vlan 1.

Also, is there any known issue if we were to decide to put the IDS and NAM back into vlan 1 ?

marcabal · ‎12-01-2005

The IDSM-2's command and control port is in vlan 1 by default so you did not need to execute a special command to move it to vlan 1.

BUT, If you want to move it to vlan 100, then you will need to execute the switch command to move the IDSM-2's command and control port to vlan 100.

Examples for a module in slot 5

For Cat OS:

set vlan 100 5/2

For Native IOS

intrusion-detection module 5 management-port access-vlan 100

(Similar changes would be needed for NAM as well).

Have you executed the above switch command to move the command and control of the IDSM-2 to vlan 100?

rschwendeman · ‎12-01-2005

Thanks marcabel,

I put in the command above as suggested, and all seems to work properly.