Small correction. You can place more than 2 IDSMs into a switch.

You can technically place an IDSM into every available slot in the switch (max of 12 IDSMs in a 6513 in other words).

The real issue isn't the max number of IDSMs, but that max number of ways to send traffic to the IDSM.

If you are just using Span, then in general you are limited to 2 Span sessions (therefore 2 IDSMs). NOTE: There are some Span scenarios where more than 2 Spans can be used - reference the Cat 6K Span documentation.

If you are using VACL Capture and have an MSFC that is doing routing, then a single VACL Capture port (one IDSM) has to be used to monitor all of the vlans being routed because of interactions between VACL Capture and the MSFC routing features.

If you are using VACL Capture and do not do routing with the MSFC, then you can have a separate VACL Capture port for every vlan, or have each VACL Capture port monitor a group of Vlans. So in this scenario you could theoretically have 12 different groups of Vlans, and 12 IDSMS in a Cat 6513 with each IDSM monitoring a different vlan group. The limitation is that each vlan group would have to have only about 100Mbps of traffic being captured.

NOTE: In most deployments the IDSM will only be able to monitor packets that travel through the switch on which it is deployed (with either Span or VACL Capture). If you want to monitor packets from other switches then you will have to use Rspan to monitor the packets (only one Rspan session is supported).

i wonder if there is any way to put more than one IDSM with VACL Capture when i am using MSFC for routing. Is it a technical limit?Why can't i do this?

The sensor needs to see both client packets and server packets to properly construct TCP streams. Without seeing both sides of the connection the sensor can not alarm properly. This is the big issue since the sensor will generate false alarms in some cases and not generate some alarms when there is a real attack.

Also each time a connection is opened, the sensor will keep it in memory until the connection is shutdown or until an internal timer times out. If the sensor sees only half the connection it sometimes can not tell when the connection is shutdown so winds up keeping the connection in memory until the internal timer runs out. This can result in large numbers of closed connections still being tracked in active memory by the sensor and can slow sensor performance.

When the MSFC is involved with VACL Capture, the packets get marked for capture on the Vlan where they leave the switch.

So the client packets get captured on the server vlan, and the server packets get captured on the client vlan.

Therefore, the sensor has to monitor both of the vlans to see the entire session.

Only monitoring one vlan would leave the sensor only monitoring half the session which leads to the problems I described above.

If the MSFC is routing between 20 vlans then the sensor has to monitor all 20 vlans.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/idsm/idsm_2/13074_04.htm#xtocid29

So you could use multiple IDSMs, but for the IDSMs to monitor properly and not experience performance issues each IDSM would have to monitor all the vlans being routed by the MSFC resulting in all the IDSMs seeing the exact same traffic.

Without the MSFC the server vlan and client vlan are the same vlan so when there is no MSFC you can use a separate IDSM for each vlan.

There is one situation where one IDSM monitors with VACL Capture on all the vlans being routed by the MSFC, and second IDSM is deployed but the second IDSM uses Span instead of VACL Capture.