IDSM deployment in a live network...

dondongamo · ‎09-02-2005

Guys

We're about to deploy an IDSM in a live 6500 with IOS 12.2(18) sxd4 sup720...

My questions are:

1. Are there any issues we have to consider since it is a live network ?

2. Do we need any downtime or will it interrupt the link ?

3. Each of the 3 sites has a pair of 6500 and each core has an IDSM...what are Cisco's best practices/recommendations since it will be an initial deployment ?

4. Which will be the ideal to use SPAN or VACL for this such topology ?

Your input will be highly appreciated

TIA.

a.arndt · ‎09-07-2005

Here are some quick answers to your list of questions...

1. Yes, there are some things to consider. The biggest one is the answer to your second question.

2. IIRC, you'll have to power off the Catalyst chassis prior to installing the IDSM-2 line card. Since the switch won't have power, you'll definitely impact your link(s). I'd say this is a big consideration, in light of your first question.

3. I’m not too sure what exactly you're asking here.

Without a better explanation of the overall network topology and where exactly the IDSM-2 sensors will actually be deployed, it's difficult to offer up anything meaningful. As for best practices, it always depends on the network topology, so we'll need more info to help. BTW, I'm not aware of any definitive "Best Practices" documentation WRT deploying IDS/IPS in specific scenarios, if that’s what you’re looking for.

4. The choice of SPAN or VACL is usually driven by what you're trying to monitor. If you want to watch all the traffic on your “ACCOUNTING” or “ENGINEERING” VLAN, you'd use VACL. If you want to watch all the switch ports that are connected to routers (uplinks, extranets, that kind of thing), SPAN is the way to go.

I hope this helps,

Alex Arndt

marcabal · ‎09-07-2005

Just an FYI.

The Catalyst does support Hot Swap of line cards. So there is no need to power down the switch chassis to install the IDSM-2 in an empty slot. The IDSM-2 can also be removed from the chassis without powering down the chassis (though it is recommended to "shutdown" the IDSM-2 itself before removing it).

So just installing the IDSM-2 into the switch should not cause issues with other ports in the switch.

a.arndt · ‎09-07-2005

Thanks for the correction Marcoa.

Like I said, "IIRC" (If I Recall Correctly)

I guess this means that question 1 and 2's answers are now "No, not really..."

Alex Arndt

dondongamo · ‎09-07-2005

Thanks a lot #4 is a logical answer...so far we didnt get any info as well from our client as far as topology, vlans are concerned.

Further info will be posted once a definite answer will be gathered.

jstewart · ‎09-09-2005

I am testing a similar situation with IDSM-2, IPS 5, and dual core IOS. If you currently have parallel equal cost routes it is important to engineer your traffic such that the IDSM-2 sees all session data over one interface (maybe with OSPF cost, if you are using OSPF) and then span that one interface (that IOS version on the 720 only supports one both-way span session) into your IDSM-2. If you have parallel equal cost routes and can't engineer your traffic (in both directions) the IDSM-2 will see only fragments of some sessions/attacks and that really makes a mess of the alerts. I suggest span because I have tried collecting all the interface traffic on the 6500 box with mls ip ids and that doesn't seem to work very well (read: using mls ip ids, one isn't able to post the same alerts that an IDSM-2 IDS 4 system in parallel sees (this could be because I have POS modules, with pure GBE you might have better luck)).