[c-nsp] Basic configuration IDSM-2

Ruben Montes (EU) Ruben.Montes at eu.didata.com
Tue Jul 25 06:09:12 EDT 2006


Hello,

I have some experience with sensors but this is my first time
configuring a C6500 with IDSM-2, and I have some design questions. The
first question is this: can I mix the use of VACL and SPAN to capture
traffic in the same configuration?

Customer is actually using VACL to capture traffic from some machines,
but he now wants to monitor all the traffic that comes from and external
partner through a VPN concentrator, so I assume for this case I should
use SPAN to monitor the VPN's port: am I right?

The config that the customer has is more or less the following:

intrusion-detection module 1 data-port 1 capture
intrusion-detection module 1 data-port 1 capture allowed-vlan 1
intrusion-detection module 1 data-port 2 capture allowed-vlan 1

vlan access-map ids 10
 match ip address in
 action forward capture
vlan access-map ids 20
 match ip address out
 action forward

vlan filter ids vlan-list 1

ip access-list extended in
 permit ip any host 192.168.1.1
 permit ip host 192.168.1.1 any
 ...
ip access-list extended out
 permit ip any any

If I want to use SPAN, which is the limitation in the number of source
ports I can put in the "monitor session" command?
Should I send this "span" traffic to the sensing interface 8 (data-port
2) or can I still sending it to the data-port 1 (sensing interface 7)?
Why there are two sensing interfaces?


Thanks in advance...

Ruben




More information about the cisco-nsp mailing list