04-09-2011 10:34 PM - edited 03-10-2019 05:19 AM
Dears,
We have IDSM / FWSM running in our 6500 Switch, the FWSM is in transparent mode and for IDSM we configured one SPAN Port.
Right now we have one requirement for SPAN configuration. currently the 6500 with the current SUP has limitation for only 2 SPAN Sessions,
And we are using both, one is for FWSM and the second one for IDSM.
Any one can help and suggest for another option?
Thanks.
04-10-2011 06:59 PM
When running a FWSM in a 6500, you don't need to use a SPAN session to send traffic to the FWSM. To send traffic through the FWSM, use the "firewall" set of commands in the 6500 switch configuration.
I recommend reading the section "Assigning VLANs to the Firewall Services Module" from the FWSM 4.1 Configuration Guide:
There's also an example of these commands in the "FWSM Basic Configuration Example" here:
A similar command exists for the IDSM ("intrusion-detection module"), for use in certain configurations. You can read more here, in the "Configuring IDSM-2" section of the IPS 6.1 Configuration Guide for CLI:
http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_idsm2.html#wp1030828
If nothing else, using these commands could free up the 2 available SPAN sessions for other use (such as a NAM module).
04-10-2011 09:46 PM
Hi Michael,
Thanks for prompt reply.
The configuration iam looking is for IDSM, FWSM already configured.
we have two options to configure IDSM in 6500, SPAN and VACL Capture.
Is there any third option available for IDSM configuration? we need one span session for some Monitoring tool, and there are already 2 session in the sup configured.
04-10-2011 10:57 PM
FWSM already configured.
...
we need one span session for some Monitoring tool, and there are already 2 session in the sup configured.
Actually, that's why I mentioned the FWSM configuration. You don't need to use SPAN in conjuntion with the FWSM. In fact, I've never seen it used that way.
My apologies, I didn't realize the FWSM is automatically using a SPAN session, which isn't listed in the config. Well, you won't need SPAN for the IDSM, at least for most configurations.
we have two options to configure IDSM in 6500, SPAN and VACL Capture.
Is there any third option available for IDSM configuration?
You can see the supported configurations for the IDSM-2 in the "Configuring IDSM-2" section of the IPS Configuration Guide for CLI, found here:
The options include:
Are you looking to put the IPS/IDS in "inline" mode? Or would you like to keep it as promiscuous only?
Message was edited by: Michael Crowe
04-10-2011 11:11 PM
Hi Michael,
IDSM is in promiscuous mode. we do not want to put it inline.
04-10-2011 11:32 PM
Then you will want to use a VACL capture. The procedure can be found here:
Hope that helps.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: