Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
527
Views
0
Helpful
2
Replies

IDSM-2, inline and Passive mode in same Module?

blackhat2020
Level 1
Level 1

‎03-13-2009 11:53 PM - edited ‎03-10-2019 04:32 AM

Hi,i have a question that it can be strange.in our network we have implemented idsm-2 module in our 6513 Switch in inline mode.without any discution about network design suppose that our network is going beyond IDSM-2 Throughput and then we want to use IDSM-2 for some traffic in Passive mode insted of inline to reduce drop probability in inline mode.i mean before this state we were using idsm-2 data port 1(in vlan pair mode),now can we use data port 2 for this purpus(capturing some traffic on data port 2 for passive operation)? in other word idsm-2 can operate in this way?

Labels:
0 Helpful
2 Replies 2

blackhat2020
Level 1
Level 1

‎03-14-2009 01:15 AM

i found my answer in idsm-2 document "You can mix sensing modes on IDSM-2. For example, you can configure one data port for promiscuous mode and the other data port for inline VLAN pair mode. But because IDSM-2 only has two data ports and inline mode requires the use of both data ports as a pair, you cannot mix inline mode with either of the other two modes." but something else,for doing such thing suppos that i have sig 2004 configured for inline traffic to deny attacker inline then this action doesnt make any sense for some data in passive mode and suppos that for that kind of traffic which idsm-2 is operating in passive mode i want to just send an alert. so can i use deferent VS for doing this? thanks.

0 Helpful

marcabal
Cisco Employee
Cisco Employee
In response to blackhat2020

‎03-19-2009 02:29 PM

Yes, you can place the inline vlan pairs from data-port 1 into a separate virtual sensor for the promiscuous data-port 2. And have different signature configurations in each of the virtual sensors.

If you keep the data-port 1 inline vlan pairs and the promiscuous data-port 2 in the same virtual sensor, then this will still work OK. Any time a signature fires for promiscuous traffic where a Deny would have happened you will get aline in the alert that says somehting like Deny Requested but Not Performed. This lets you know the signatures was configured for deny (or a deny was added by an overrides), but the deny couldn't be done because it was a Promiscuous packet.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card