Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1137
Views
5
Helpful
1
Replies

Intrusion-detection-module 7 data-port 2: Capture not allowed on a SPAN destination port

pslavkovsky
Level 1
Level 1

‎11-23-2010 01:24 AM - edited ‎03-10-2019 05:11 AM

Hi all

I have 2 switches Cat6509E. each with IDSM module

I have on first switch this commands

intrusion-detection module 7 data-port 1 capture
intrusion-detection module 7 data-port 2 capture
intrusion-detection module 7 data-port 1 capture allowed-vlan 4,6,16,17,66
intrusion-detection module 7 data-port 2 capture allowed-vlan 68,70,74,134,145

And when I trying to put the same on second switch I will get this error message

Intrusion-detection-module 7 data-port 2:  Capture not allowed on a SPAN destination port

What does it mean?

Output "sh monitor" is the same on both switches

Session 1
---------
Type                   : Service Module Session
Modules allowed        : 1-9
Modules active         : 1,7
BPDUs allowed          : Yes


Session 2
---------
Type                   : Local Session
Source VLANs           :
    Both               : 4
Destination Ports      : analysis-module 8 data-port 1

Peter

Labels:
0 Helpful
1 Reply 1

Justin Teixeira
Level 1
Level 1

‎11-23-2010 05:20 AM

Hi Peter,

     The first switch that you mention is configured (judging from the "intrusion-detection" commands) to use the VACL capture method of sending traffic to the IDSM-2 for inspection.  You can read about this method here:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_idsm2.html#wp1030828

In short, you configure a VACL to define the traffic you want to capture and apply it to the appropriate VLANs.  When traffic matches the VACL, it's copied to the IDSM-2 ports that have been configured with the "intrusion-detection module 7 data-port 1  capture" commands.

On the second switch it appears that there is a monitor session setup SPANing traffic to the IDSM-2 port.  This is an alternative method of sending trafic to the IDSM-2 for inspection and is mutually exclusive with the VACL method on a particular IDSM-2 interface.  You can read about the SPAN method here:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_idsm2.html#wp1030816

This method, in short, simply involves configuring a SPAN session with the IDSM-2 interface as the desination.


You'll need to choose one method or the other for configuring the second switch.  If you want it to match the configuration on the first switch, simply remove the monitor (SPAN) session that's currently configured.

Best Regards,

Justin

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card