The IDSM-2 blade provides up to 600 Mbps of Intrusion Detection and Intrusion Prevention services. Just like IDS/IPS Appliance, IDSM-2 module can operate in either Promiscuous or Inline Mode (see Chapter 14 for more details). The only difference between the IDS/IPS Appliance and the IDSM-2 blade is that in version 5.0, IDS/IPS Appliance can operate in both the Inline and the Promiscuous modes, but the IDSM-2 blade can operate either one or the other. This is because the IDSM-2 module has only two sniffing interfaces, so it cannot be configured for both Inline and Promiscuous mode; it requires at least three interfaces to configure both Promiscuous and Inline mode. For the same reason, you cannot configure multiple Inline pairs on IDSM-2, which is possible on IDS/IPS Appliance. This section covers the following items that are used for the seamless operation of IDSM-2 blade:
Software and hardware requirements
Slot assignment on the switch
Front Panel indicator lights and how to use them
Installing an IDSM-2 blade on the switch
Removing an IDSM-2 blade from the switch
Ports supported on an IDSM-2 blade
Software and Hardware Requirements
There are specific hardware and software requirements on the Catalyst switch for IDSM-2 support, as follows:
Catalyst software release 7.5(1) or later with Supervisor Engine 1A with Multilayer Switch Feature Card 2 (MSFC2)
Catalyst software release 7.5(1) or later with Supervisor Engine 2 with MSFC2 or PFC2
Cisco IOS software release 12.2(14)SY with Supervisor Engine 2 with MSFC2
Cisco IOS software release 12.1(19)E or later with Supervisor Engine 2 with MSFC2
Cisco IOS software release 12.1(19)E1 or later with Supervisor Engine 1A with MSFC2
Cisco IOS software release 12.2(14)SX1 with Supervisor Engine 720
Cisco IDS/IPS software release 4.0 or later
Any Catalyst 6500 series switch chassis or 7600 router
You can use "Software Advisor" from the following link to find out the supported versions of the Catalyst 6500 switches:
Slot Assignment on the Switch
Before you select a slot on the switch, you must understand some of the restrictions for assigning the appropriate slot for the IDSM-2 module on the switch. The following list will help in determining how to select the appropriate slot for the IDSM-2 blade:
Catalyst 6503 A 3-slot chassis that reserves one slot for the Supervisor and offers two line card slots for other modules. The first slot is reserved for either the Supervisor 2 or Supervisor 720.
Catalyst 6006 and 6506 A 6-slot chassis that reserves one slot for the Supervisor and offers five line card slots for other modules. If a Supervisor 2 is used, then Slot 1 is reserved for its use. If a Supervisor 720 is used, then either slot 5 or 6 must be used for this Supervisor.
Catalyst 6509 A 9-slot chassis that reserves one slot for the Supervisor and offers eight line card slots for other modules. If a Supervisor 2 is used, then Slot 1 is reserved for its use. If a Supervisor 720 is used, then either slot 5 or 6 must be used for this Supervisor.
Catalyst 6509-NEBS-A A 9-slot chassis that reserves one slot for the Supervisor and offers eight line card slots for other modules. If a Supervisor 2 is used, then Slot 1 is reserved for its use. If a Supervisor 720 is used, then either slot 5 or 6 must be used for this Supervisor.
Catalyst 6513 A 13-slot chassis that reserves one slot for the Supervisor and offers 12 line card slots for other modules. If a Supervisor 2 is used, then Slot 1 is reserved for its use. If a Supervisor 720 is used, then either slot 7 or 8 must be used for this Supervisor.
The IDSM-2 can reside in any slot that is not reserved for the Supervisor. The IDSM-2 has been tested to work with the Supervisor 1A (with MSFC2), the Supervisor 2, and the Supervisor 720.
Cisco supports only eight IDSM-2s per chassis.
Front Panel Indicator Lights and How to Use Them
The IDSM-2 has a status indicator and a Shutdown button. Locating and understanding the meaning of different light colors is very important. Table 15-1 explains them.
Table 15-1. IDSM-2 States as Indicated by the Status Indicator
All diagnostics tests pass, so IDSM-2 is operational.
A diagnostic other than an individual port test failed.
The IDSM-2 is running through its boot and self-test diagnostics sequence, or the IDSM-2 is disabled, or the IDSM-2 is in the shutdown state.
The IDSM-2 power is off.
Installing the IDSM-2 Blade on the Switch
All Catalyst 6500 series switches support hot swapping, which lets you install, remove, replace, and rearrange modules without turning off the system power. When the system detects that a module has been installed or removed, it runs diagnostic and discovery routines, acknowledges the presence or absence of the module, and resumes system operation with no operator intervention.
To install the IDSM-2 in the Catalyst 6500 series switch, follow these steps:
Choose a slot on the Catalyst 6500 switch for the IDSM-2 blade. Note that the supervisor engine must be installed in slot 1; a redundant supervisor engine can be installed in slot 2. If a redundant supervisor engine is not required, slots 2 through 9 (slots 2 through 6 on the 6-slot chassis and slots 2 through 11 on the 13-slot chassis) are available for modules.
Hold the IDSM-2 with one hand, and place your other hand under the IDSM-2 carrier to support it.
Verify that you have correctly installed the IDSM-2 and can bring it online by executing the command show module on the switch.
Removing the IDSM-2 Blade from the Switch
You must first shut down the IDSM-2 before removing it from a Catalyst 6500 series switch. Removing the module without going through a shutdown may damage your module, or corrupt your IDS/IPS Operating System on the module. Work through the following procedure to remove the IDSM-2 blade from the Catalyst 6500 series switch:
Shut down the IDSM-2 blade by one of the following methods:
Log in to the IDSM-2 and execute the reset powerdown command to shut down IDSM-2 blade.
To shut down the module from CatOS, execute the set module shutdown module_number command.
If you are running Native IOS on the switch and want to shut down the IDSM-2 module, execute hw-module module module_number shutdown command.
As a last resort, you can press the Shutdown button on the IDSM-2 blade itself. Shutdown may take several minutes.
Verify that the IDSM-2 blade shuts down by executing the show module command on the switch. Do not remove the IDSM-2 until the status indicator is amber or off.
Carefully pull the IDSM-2 straight out of the slot, keeping your other hand under the carrier to guide it.
Ports Supported on IDSM-2 Blade
Eight ports appear to the switch for each IDSM-2 blade. This can be verified by executing command show port IDSM_Module_Slot_Number in CatOS. Example 15-1 shows eight ports on the module on CatOS:
Example 15-1. Ports Appearing on the Switch Running CatOS
Console> (enable) show port 2 * = Configured MAC Address Port Name Status Vlan Duplex Speed Type ----- -------------------- ---------- ---------- ------ ----- ------------ ! Port 2/1 is the TCP reset interface. This interface should be in the same VLAN as the ! sniffing interface 2/1 connected trunk full 1000 Intrusion Detection ! Port 2/2 is the Command and Control Interface 2/2 connected 251 full 1000 Intrusion Detection 2/3 disable 1 full 1000 Intrusion Detection 2/4 disable 1 full 1000 Intrusion Detection 2/5 disable 1 full 1000 Intrusion Detection 2/6 disable 1 full 1000 Intrusion Detection ! Ports 2/7 and 2/8 are the Sniffing Interfaces 2/7 monitor trunk full 1000 Intrusion Detection 2/8 connected trunk full 1000 Intrusion Detection Console> (enable)
The IDSM-2 module uses the following four IP ports:
Command and control port IDSM-2 uses GigabitEthernet0/2 interface as the command and control port that contains the IP address. If you are running CatOS, this is identified as port slot/2. In Example 15-1, 2/2 is the command and control port for the blade seated in slot 2. If you are running Native IOS, this port is identified as a management port, which is internally mapped to slot/2 port. Hence, on the 6K, set this port to a VLAN appropriate to the IP address you give the sensor. Try to avoid using VLAN 1, which is the default.
Capture/Sniffing Ports The module has two sniffing ports that are seen by the switch as ports 7 and 8. In Example 15-1, these ports are 2/7 and 2/8. If you are running Native IOS, these ports are identified as data-port 1 and 2. Data-port 1 is internally mapped to slot/7, and data-port 2 is mapped to slot/8 on the Native IOS switch. On the IDSM-2 blade, these ports are identified as GigabitEthernet0/7 and GigabitEthernet0/8 respectively. If you are using Inline mode, these two ports should be in two different VLANs. In Promiscuous mode, you can use either Switched Port Analyzer (SPAN) or Virtual Access Control List (VACL) to direct traffic to these ports. As the ports are Gigabit ports, and IDSM-2 blade cannot handle more than 600 mbps traffic, it is not necessary to use both ports in Promiscuous mode.
Reset Port In CatOS, port slot/1 is used for reset. Remember that the reset port must be assigned to the same VLAN as the sniffing port(s) to perform the TCP resets.