cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
664
Views
0
Helpful
6
Replies

IDSM-2 capturing some, but not all?

dbobeldyk
Level 1
Level 1

I have an IDSM-2 that is sending alarms, but it doesn't seem like it's sending enough.I'm comparing the network that I'm monitoring to another portion of this client's network and logically this sensor should be triggering a lot more alarms, but it's not.

The Logical setup is as follows:

Internet

|

PIX FWSM

|

IDSM-2 Sensor

|

MSFC-2

Physically all of the devices are in the same Cat 6513, which makes me think that perhaps the IDSM isn't capable of picking up all the traffic travelling between an FWSM vlan and the MSFC-2.

Config fragments are as follows:

IDS

-------------------

intrusion-detection module <x> management-port access-vlan yyy

intrusion-detection module <x> data-port 1 capture

intrusion-detection module <x> data-port 1 capture allowed-vlan <zzz>

vlan filter IDS-Internet-Traffic vlan-list <zzz>

vlan access-map IDS-Internet-Traffic 10

match ip address All-Traffic

action forward capture

vlan access-map IDS-Internet-Traffic 15

match ip address All-Traffic

action forward

!

Firewall

---------------------------

firewall module <a> vlan-group 1

firewall vlan-group 1 <aaa,zzz,bbb,ccc,ddd,eee>

Any suggestions? Is the IDSM capable of examining all traffic on this link?

6 Replies 6

marcabal
Cisco Employee
Cisco Employee

The problem is in the interaction between the VACL Capture and the routing by the MSFC.

You are applying the VACL to , but because of the interaction between VACLs and routing by the MSFC, the IDSM-2 actually has to monitor as well as ALL other vlans that the MSFC is routing.

So if the MSFC is routing vlans 1-200 as well, then the IDSM-2 needs to monitor "allowed-vlan 1-200,".

If your switch has WAN ports, then in addition it needs to monitor the vlans being used for the WAN ports. However, you won't know what those vlans are (the switch dynamically picks an unused vlan), so you need to monitor ALL vlans "allow-vlan 1-4094"

Marco

<>

Thanks for the reply Marco.

I'm not sure I understand it tho. The only traffic that I wish to monitor is the traffic going out to the Internet (or coming in from the Internet). If I was to turn on capturing for all vlan traffic, thereby monitoring all the traffic going through the switch, the IDSM-2 would be quicly overwhelmed.

I'm not looking to monitor all traffic going through the switch, just the traffic travelling along the link to/from the Internet.

Denny

Or are you stating that the following line should change to:

intrusion-detection module data-port 1 capture allowed-vlan 1-4095

!But keep this line the same

vlan filter IDS-Internet-Traffic vlan-list

You've got it correct.

Here is another explanation for you.

By putting the capture VACL on vlan .

You are correctly telling the switch to mark the matching packets flowing through vlan as captured packets.

This turns on the "capture bit" within the internal switch header for that packet.

That packet continues to be processed by the rest of the switch and MSFC.

In the case of processing by the MSFC it gets routed to another vlan .

Now the packet gets sent on the switch backplane to the end port where it leaves the switch on vlan .

All of the ports you configured as "capture" ports are monitoring all of these packets on the backplane that are going to other ports in the switch.

They are looking for packets with the "capture bit" set. Once it sees a packet with the "capture bit" it then checks it's vlan list to see whether or not to copy that packet to the attached sniffer (in your case the IDSM-2).

Now the tricky part.

If your IDSM-2 is only "allowed-vlan " then it will only look for "capture" packets on vlan .

BUT those packets got routed to vlan .

So the capture port is actually seeing them as vlan capture packets instead of where you applied the vlan filter.

So your capture port will actually need to monitor both vlan , and . "allowed-vlan ,"

By monitoring it does not monitor ALL traffic on it only monitors traffic that has been marked for capture. In your case only the traffic going through vlan .

If the MSFC can route to multiple vlans, then each of these vlans needs to be in the allowed-vlan list. If the MSFC can route to WAN modules, then you pretty much have to put all vlans in the allowed-vlan list because the switch could choose any unused vlan to send the traffic internally to the WAN port.

Without monitoring , and only having the allowed-vlan , would you still see all vlan zzz to vlan zzz traffic - i.e. traffic that does not have to go through the msfc?

Review Cisco Networking for a $25 gift card