Capturing Network Traffic for the Catalyst 6000 IDS Module
The Catalyst 6000 IDS Module is an actual line card that you install in your Catalyst 6000 family switch. This 100Mb Cisco IDS sensor utilizes a monitoring port that captures traffic directly off of the switch's backplane. You must, however, configure your Catalyst 6000 family switch to send the appropriate network traffic to this monitoring port. When deciding how you plan to capture network traffic, you have a choice between two options:
- Switched Port Analyzer (SPAN) ports
- Virtual LAN (VLAN) access control lists (ACL) or VACLs
Each of these techniques enables you to pass network traffic to your IDS Module for analysis. The VACL feature, however, provides a much more robust capability to specify the type of traffic that will be passed to your IDS Module. We will examine each of the options separately, beginning with the SPAN port feature.
SPAN Port Feature
To configure Switched Port Analyzer (SPAN) ports, you need to use the set span switch command. The format for this command is as follows:
set span src_mod/src_ports | src_vlan dest_mod/dest_port tx | rx | both create
Using the set span command, you can configure your switch to direct traffic from either specific ports or from a specific VLAN to a specific destination port. The destination port will be the monitoring port on your Catalyst 6000 IDS Module. Besides limiting the traffic to specific ports or a specific VLAN, you also have the option of limiting traffic based on the direction that the traffic is flowing. Your traffic direction options are the following:
- tx—Capture only traffic coming from specified source
- rx—Capture only traffic going to a specified source
- both—Capture traffic going to and from the source
Suppose you install your Catalyst 6000 IDSM into the fifth slot on your Catalyst chassis. Port 1 on your IDSM is the monitoring port, and port 2 is the command and control port. Therefore, if you want the IDSM to examine all of the network traffic to and from VLAN 150, the command would be the following:
set span 150 5/1 both
One of the drawbacks of using SPAN with the both parameter, however, is that the same packet can potentially be sent to your monitoring port twice—once when it leaves a port, and once when it enters another port. This can cause problems with certain signatures. Whether the SPAN port will receive two packets is dependant on the type of supervisor engine installed on your Catalyst 6000 family switch.
Each time that you create a SPAN port, you associate either a source port or VLAN with a destination port. This association is known as a SPAN session. The number of SPAN sessions available is very limited: You can have a total of only six SPAN sessions. Of these six, four can be tx (transmit), and the remaining two can be either rx (receive) or both (transmit and receive). The limited number of SPAN sessions available is a major drawback to utilizing SPAN ports to capture your network traffic.