cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1027
Views
0
Helpful
5
Replies
syedaltaf.shah
Beginner

SPAN Configuration for IDSM

Dears,

We have IDSM / FWSM running in our 6500 Switch, the FWSM is in transparent mode and for IDSM we configured one SPAN Port.

Right now we have one requirement for SPAN configuration. currently the 6500 with the current SUP has limitation for only 2 SPAN Sessions,

And we are using both, one is for FWSM and the second one for IDSM.

Any one can help and suggest for another option?

Thanks.

5 REPLIES 5
mikecrowe4ICS_2
Beginner

When running a FWSM in a 6500, you don't need to use a SPAN session to send traffic to the FWSM.  To send traffic through the FWSM, use the "firewall" set of commands in the 6500 switch configuration.

I recommend reading the section "Assigning VLANs to the Firewall Services Module" from the FWSM 4.1 Configuration Guide:

http://www.cisco.com/en/US/customer/docs/security/fwsm/fwsm41/configuration/guide/switch_f.html#wp1175820

There's also an example of these commands in the "FWSM Basic Configuration Example" here:

http://www.cisco.com/en/US/customer/products/hw/modules/ps2706/products_configuration_example09186a00808b4d9f.shtml#sw

A similar command exists for the IDSM ("intrusion-detection module"), for use in certain configurations.  You can read more here, in the "Configuring IDSM-2" section of the IPS 6.1 Configuration Guide for CLI:

http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_idsm2.html#wp1030828

If nothing else, using these commands could free up the 2 available SPAN sessions for other use (such as a NAM module).

Hi Michael,

Thanks for prompt reply.

The configuration iam looking is for IDSM, FWSM already configured.

we have two options to configure IDSM in 6500, SPAN and VACL Capture.

Is there any third option available for IDSM configuration? we need one span session for some Monitoring tool, and there are already 2 session in the sup configured.

FWSM already configured.

...

we need one span session for some Monitoring tool, and there are already 2 session in the sup configured.

Actually, that's why I mentioned the FWSM configuration.  You don't need to use SPAN in conjuntion with the FWSM.  In fact, I've never seen it used that way.

My apologies, I didn't realize the FWSM is automatically using a SPAN session, which isn't listed in the config.  Well, you won't need SPAN for the IDSM, at least for most configurations.

we have two options to configure IDSM in 6500, SPAN and VACL Capture.

Is there any third option available for IDSM configuration?

You can see the supported configurations for the IDSM-2 in the "Configuring IDSM-2" section of the IPS Configuration Guide for CLI, found here:

http://www.cisco.com/en/US/customer/docs/security/ips/7.0/configuration/guide/cli/cli_idsm2.html#wp1030694

The options include:

  • SPAN
  • VACL Capture
  • EtherChannel Load Balancing (ECLB) with VACL Capture
  • Inline Interface Pairs
  • ECLB with Inline Interface Pairs
  • Inline VLAN Pairs
  • ECLB with Inline VLAN Pairs

Are you looking to put the IPS/IDS in "inline" mode?  Or would you like to keep it as promiscuous only?

Message was edited by: Michael Crowe

Hi Michael,

IDSM is in promiscuous  mode. we do not want to put it inline.

Then you will want to use a VACL capture.  The procedure can be found here:

http://www.cisco.com/en/US/customer/docs/security/ips/7.0/configuration/guide/cli/cli_idsm2.html#wp1030828

Hope that helps.

Content for Community-Ad