Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
674
Views
5
Helpful
3
Replies

IDSM in redundant switching environment

Muhammad.Sajid
Level 1
Level 1

‎12-28-2004 06:45 AM - edited ‎03-10-2019 01:12 AM

I have two 6500 switches/routers trunked to each other serving various devices. The two switches are installed for the purpose of redundancy and same VLANs are configured on both. My question is related to deploying IDSM-2 blades in this environment. Can I just use single blade in one switch and still be able to monitor desired VLANs traffic through VACL or SPAN/VSPAN/RSPAN or do I need two IDSM blades; one in each switch. Has anyone deployed IDS in this environment and what are the benefits of deploying 2 (one is each) versus 1.

Labels:
0 Helpful
3 Replies 3

marcabal
Cisco Employee
Cisco Employee

‎12-28-2004 10:21 AM

RSPAN is generally the method of choice for these types of configurations.

The packets from both switches can then be monitored by a single IDSM-2 in one switch.

You can also provide some redundancy by placing a second IDSM-2 in the other switch, and have both IDSM-2s monitoring the exact same traffic (each IDSM-2 is monitoring packets from both switches).

You will get duplicate alarms (one from each IDSM-2) when both are running, but it will ensure you do not miss any alarms if one of the switches should happen to go down for maintenance or power loss.

There are other deployment options, but these depend on some specifics that you will need to analyze:

Do you have assymmetric traffic?

Quite often in these types of setups, both the switches are carrying traffic at the same time, and on occasion the client traffic will go through one switch, but the server response traffic will come through the other switch. For the IDSM-2 to properly track these connections it needs to see traffic from both switches. So if assymetric traffic patterns exist, then RSPAN needs to be used so both switches can be monitored by a single IDSM-2.

If assymetric traffic does not exist, then the IDSM-2 does not need to monitor both switches.

You could deploy an IDSM-2 in each switch. Then using either span or VACL Capture the IDSM-2 could monitor just the traffic flowing through the switch where it is located.

What are the traffic rates?

The IDSM-2 has an upper performance limitation of 600Mbps. If you are forced to use RSPAN because of assymteric traffic patterns, then you will only have the ability to monitor 600Mbps and must choose wisely what will be RSPANed to the IDSM-2.

If you do not have assymetric patterns then you can at least use 2 IDSM-2s (one in each switch) and possibly more (see below).

If the traffic being routed by the switch/msfc?

If no traffic is being routed by the switch, and you do not have assymetric traffic patterns then you are in luck. This is the easiest deployment scenario. You can have multiple IDSM-2s in each switch. Each IDSM-2 would be configured to monitor one or more vlans using VACL Capture. The performance limitations are 600 Mbps times the numbers of IDSM-2s you purchase and can fit in the switch.

If traffic is being routed, however. You once again run into a situation where a single IDSM-2 has to monitor all of the vlans in the switch (when using VACL Capture). There is an interaction between the routing features of the switch/msfc which force a single IDSM-2 (per switch if no assymetric traffic patterns) to be used to monitor all of the vlans in that switch.

And you are now limited to the 600 Mbps limitation (or 2*600Mbps if you place one in each switch and there are no assymetric traffic patterns).

dbobeldyk
Level 1
Level 1
In response to marcabal

‎02-17-2005 08:19 AM

I have a similiar situation where I have 4 catalyst switches in a redundant topology. There are couple problems I'm running into:

1. Assymetric Routing.

I understand this can be alleviated by using RSPAN to send traffic from the other switches to the switch with the IDSM-2 in it for monitoring.

2. RSPAN limitations

If I use RSPAN, I am no longer able to use my sniffer to monitor both ingress and egress traffic due to the limitations of the MSFC2

I thought a possible solution might be to install an external appliance (4250) and use local SPAN to span the VLANs I wished to monitor to that appliance. This would still give me a local SPAN session available for my sniffer port.

Has anyone set up something similiar to this scenario? I'm also wondering if the IDS would be able to handle the issue of assymetric routing ok, considering it is still seeing all of the traffic, just from two different sources. It appears according to the prior post the IDSM-2 can handle this ok, just curious if the appliance can handle it as well.

Any other caveats I'm missing?

Thank you in advance.

0 Helpful

marcabal
Cisco Employee
Cisco Employee
In response to dbobeldyk

‎02-17-2005 09:34 AM

Some options to handle the assymetric routing issue:

Use a single IDSM-2 in one chassis. Use port 7 of the IDSM-2 to monitor packets in the local chassis using either VACL Capture or a local span session. Use Rspan on the second chassis to copy packets to an Rspan vlan that is carried to the first chassis through a trunk port, and configure port 8 of the IDSM-2 to be an Rspan destination port for that Rspan vlan.

If you are willing to use an Appliance, then purchase one with 2 or more sniffing interfaces (the IPS-4240 and IPS-4255 each come with 4 sniffing interfaces).

Plug one interface to the first switch and monitor with either span or VACL capture.

Plug the second interface into the second switch to monitor the corresponding traffic with either span or VACL capture.

This way the sensor can monitor the traffic no matter which switch it is sent across.

Marco

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card