Hi

Pls let me know if is there any limitation

Regards,

Jatin

Hi

This is really a very useful information.

I have gone through the documents and mls ip ids commands monitor incoming traffic.

I am planning like this. I am going to apply IOS firewall(ip inspect rule) on my two server vlans and will apply mls ip ids command. Which will monitor the traffic coming from the server vlan.

On the other vlans i am going to configure VACL which will capture traffic from the other vlans.

IS THERE ANY SPECIFIC REASON/LIMITATION TO USE ONLY ONE CAPTURE PORT.

Regards,

Jatin

The biggest issue is to make sure that one sensor (IDSM-2) is receiving both the client and server packets.

The second issue is to try and reduce any duplicate packets being copied to the sensor (sometimes you can't, and have to just deal with it).

In your scenario the server traffic is being marked for capture by the mls ip ids command on the server vlans, but the actual server packets could technically be captured on both the server and client vlans. This is because of an interaction with routing.

The first packet in a connection is often captured on the same vlan where the mls ip ids or VACL was applied. But additional packets are usually captured on the vlan where they exit the switch. This is because mls (also known as fast switching) happens in hardware for additional packets. It will combine the VACLs from both vlans, Router ACLs from the MSFC, and the mls ip ids command into a single hardware implemented ACL on the PFC. The packet comes into the switch and goes to the PFC. The PFC marks it for capture and sends it to the other vlan (vlan being routed to) at the same time. So the packet is a capture packet for the vlan where it is leaving the switch.

The opposite will hold true for the client packets. The intial packets (like the SYN) will be captured on the client vlan, but additional packets will be captured on the server vlan.

The mls ip ids command sometimes even throws a monkey wrench in. Because some of the ip inspect rules are implemented in software and not hardware (not PFC). In which case those packets could still wind up captured on the original vlan instead of the vlan leaving the switch.

The end result is that one sensor has to see captured traffic on both the server and client vlans.

(In your case the 2 server vlans, and all the client vlans).

Some users will want to split up the vlans, and have one sensor monitor a few, and a second sensor monitor others. The problem with this is that the client vlans could have clients talking to both server vlans. So a sensor trying to monitor one server vlan has to monitor ALL of the client vlans. It will see the packets for the servers it is monitoring, but it will also see half the packets for the servers in the other vlan. These half of the packets can wind up having a severe performance hit on the sensor if it doesn't see the other half of the packets. The sensor tries tracking the state of the TCP Sessions, and winds up with these half open TCP Sessions that consume CPU and memory to monitor.

The same will be true for a sensor that tries to monitor just the other server vlan and has to, therefore, monitor all the client vlans.

So the best scenario is to monitor all of the vlans with a single sensor.

Some users will want to have redundancy and have 2 sensors monitor the same traffic. This works fine. Have both sensors monitor all of the vlans.

If a sensor has more than one sniffing interface, some users like to split monitoring over the interfaces.

For example with the IDSM-2 in your case, you could setup port 7 to monitor the server vlans, and setup port 8 to monitor the client vlans. The single sensor (IDSM-2) would be receiving both sides of the connections (one side on each port), and that would work just fine.

What you want to AVOID, however, is having port 7 and port 8 getting duplicate traffic. TO do this you want to ensure that you remove ALL vlans except the server vlans on port 7, and remove ALL vlans except the client vlans on port 8. This way you won't have port 7 and 8 capturing packets from the same vlan.

I generally recommend using just port 7 and disabling port 8 in the sensor's configuration. It makes it easier to configure since only one port has to be setup. And port 7 can handle a GBPS which is more than enough for the IDSM-2 which has a monitoring performance limit of 650 MBPS.

Hi

In my senario the each client vlan is talking to the server vlans as well as other client vlans.

I am planning to configure my IDSM2 in following way to avoide duplicate packets to be captured. Need your inputs also.

1. As you suggested will enable only one port(port-7) as a capture port for all the vlans and this port will be the member of all the vlans.

2.I will configure separate VACL for each client VLAN. In VACL source will be the client VLAN subnet and destination will be any.

In this way traffic will be captured only initiating from the client vlan.

3. I will give mls ip ids command on the server vlan as ip inspect rule is applied on the server vlan. Here traffic initiating from the server vlan will be captured.

Pls. suggest me if i am missing something.

Your inputs will help me a lot to configure the IDSM2 in the proper way.

Regards,

Jatin

Hi

This is really a good suggestion.

But i think it will not capture the packets if there is any attack within the server vlan itself.

If possible please send me some useful links to get the more detail about IDSM2. Like how it usees its disk space, events storage capacity etc.

Regards,

Jatin

The User Guides are located here:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/index.htm

In the next revisions of the docs (being posted to the above link in a few weeks) will have an architecture section that should discuss the sensors in more detail.

Until then I can try to answer a few of your questions.

The IDSM-2 has both a compact flash and a harddrive. The compact flash is used for the maintenance partition. The hard drive is used for application partition.

The hard drive contains more than enough space for storing the operating system files, the IDS application files, and storage for alarms and IP Log data.

Events (alerts as well as error and status messages) are stored in a large circular buffer file (you can think of it as a database) called the EventStore. The EventStore is 4 Gigs in size. When the EventStore fills up the sensor will automatically over write the oldest events with the new events so there is no need for the user to do any management of the events on the sensor itself. (Unlike some of our older version appliances).

There is a "clear events" command to mark all old events as deleted. This doesn't necessarily clean up the used disk spaced, it just tells the eventStore to ignore those alarms.

IP Logs are logs of binary packets captured by the sensor for later analysis by the user. The IP Log storage is limited to 512 Meg. The IP Log data is stored in a 512 Meg array of buffer files. When the 512 Meg is filled, the new IP Log data will automatically overwrite the oldest IP Log data.

There is no method at this time to delete the IP Log data.

All the disk space is managed by the sensor, so there is no need for the user to manually manage the sensor's files, and in fact attempting to do so could cause problems on the sensor.

Hi

If i have applied mls ip ids command on my interface without enabling ip inspect still IDS will capture the packet and send me the logs ?

As per documentation we should use mls ip ids when we have enable ip inspect on the interface.

I have given mls ip ids command on my interface without enableing ip inspect and i was getting alarms for 3 days after that alarms are not coming.

I am confused here that why the alamrs were coming ?

If i need to check through CLI whether idsm2 is generating alamrs what is the command for that.

Regards,

Jatin