07-11-2003 10:14 AM - edited 03-09-2019 04:00 AM
I recently received an IDSM-2 blade for my Cat6K. One setup problem I had was I couldn't find documentation anywhere on how the sensor ports are used. I'm posting this note in the hope it saves someone else some time.
The IDSM-2 blade appears to the 6K to have 8 ports:
Port Name Status Vlan Duplex Speed Type
----- -------------------- ---------- ---------- ------ ----- ------------
6/1 connected trunk full 1000 Intrusion De
6/2 connected 251 full 1000 Intrusion De
6/3 disable 1 full 1000 Intrusion De
6/4 disable 1 full 1000 Intrusion De
6/5 disable 1 full 1000 Intrusion De
6/6 disable 1 full 1000 Intrusion De
6/7 monitor trunk full 1000 Intrusion De
6/8 connected trunk full 1000 Intrusion De
Port x/2 is the command and control port. On the 6K, set this port to a VLAN appropriate to the IP address you give the sensor. Don't use VLAN 1, which is the default. Ports x/7 and x/8 are the sniffing ports. Use either SPAN or VACL to direct traffic to these ports. x/7 is active by default; I'm not sure about x/8. Note that x/7 and x/8 by default have all VLANs set, so they can listen to anything you send them. (You don't really need two sniffer ports; there are two because of the blade's architecture.)
Lastly, I'm told that x/1 is used to send TCP reset packets. Again, it has all VLANs set by default, so it can pick the correct one. This use of x/1 differs from what I heard earlier in the week at Networkers 2003, so I'd appreciate if someone could confirm it.
/Chris Thomas, UCLA
Solved! Go to Solution.
07-11-2003 06:31 PM
Hi Chris,
You are right. Good info.
The CIDS module uses the following 4 IP ports: a command and control port, 2 capture ports and a reset port. c&c interface is on port 2, module has two sniffing ports that are seen by the switch as ports 7 and 8.
Starting version 4.1, the multiple sniffing interface capability will be introduced, so the port 7 and 8 can be actually used to sniff 2 different segments.
Port 1 used for reset, The important point is that the reset port must be assigned to the same vlan as the sniffing port(s) in order to perform the TCP resets.
Thanks,
yatin
07-11-2003 06:31 PM
Hi Chris,
You are right. Good info.
The CIDS module uses the following 4 IP ports: a command and control port, 2 capture ports and a reset port. c&c interface is on port 2, module has two sniffing ports that are seen by the switch as ports 7 and 8.
Starting version 4.1, the multiple sniffing interface capability will be introduced, so the port 7 and 8 can be actually used to sniff 2 different segments.
Port 1 used for reset, The important point is that the reset port must be assigned to the same vlan as the sniffing port(s) in order to perform the TCP resets.
Thanks,
yatin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide