VACL

Similar Questions

• Capture VACL question

  A possible port of VACL Capture any port on a switch (WCB 6000) or is it possible only a port on one blade JOINT?

  Regards, Jeff

  Any port Ethernet, Fast Ethernet or Ethernet Gig should work as a port VACL capture. We use regularly to test the sensors of the external device.

• IDSM2 and VACL for guarded capture traffic

  Hi all

  I'm setting up an IDSM2 module in a cat6500 siwtch running CatOS. I've configured some VACL to capture traffic to send them to the data port of the IDSM2 but I started having connectivity problems with VLANs, which I traced to the VACL. AFAIK the VACL capture option do not block or affect the flow of traffic, is this correct?

  Concerning

  Yes, but the VACL implied a "deny all" at the end, so you would use:

  Set security acl acl - name ip allow a whole

  otherwise all other traffic will be blocked.

• Property ID intellectual VACL and mls CONFIGURATION ON IDSM2

  Hello

  We have installed an IDSM2 6500 Series switch. We have configured 5 amendments. of the VLAN. We have activated the firewall IOS on 2 numbers. of the VLAN.

  Now, we want to capture logs on the IDSM2 for all the VLANS.

  How can I set this up.

  I have to ask the vlan VACL where the IOS Firewall is not enabled.

  Two VLANS I use parIP mls ID that we apply ip inspect on the two VLANs.

  Is is possible to set the port 7 and 8 of the IDSM2 to caputure of log VACL, and mls IP IDS.

  Kind regards

  Jousset

  I think it should work.

  You may want to consider another approach as well.

  Instead of placing the command ID of mls ip on the server vlan interfacem router, you might try just adding extra snap lines for the VACL on the vlan client to capture this traffic.

  For example, if your servers are web servers and the client VLAN is the 10.1.0.0 network your vacl might look like this:

  permit tcp 10.1.0.0 capture any eq 80 0.0.255.255

  permit tcp any eq 80 10.1.0.0 0.0.255.255 captures

  allow an ip

  The first line will mark the client packages for the capture.

  The second line will mark the server to capture packets.

  The last line allows the rest of the traffic without being captured.

  In this way capture you both sides of the traffic in a VACL instead of having to combine VACL and mls IP IDS.

  The JOINT-2 would still need to monitor all the VLAN server and client.

  Because although the VACL applied on the vlan client, it will mark some of the packages for capture when they leave the switch on the server vlan.

  Maco

• VACL vs. SPAN

  Hello

  I have a question about JOINT-2 on the 6500 cat.

  Is there than some performance issues for use VACL rather than the LENGTH?

  Thank you

  Graz.

  Actually, the material on the official course of Cisco Secure Intrusion Detection System (CSIDS) , specifically Chapter 8 - setting up JOINT, says that the JOINT-2 "provides a solution IDS in switch providing access to data via VACL capture, SPAN or RSPAN streams".

  It clearly indicates (as well as the documentation of IDSM2 - http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_installation_and_configuration_guide_chapter09186a00801a0c95.html#wp589548) that the port 7 and 8 on the IDSM2 are the monitoring of ports.

  They are able to control up to 2 sessions of RX SPAN, 4 TX SPAN sessions or 2 sessions SPAN RX + TX. The only factors are that the total amount of traffic split may not exceed 600 Mbps and limitation on sessions SPAN limit the number of ports in the chassis Catalyst 6500 which can have their monitored traffic. (NOTE: new Info based on the information contained in the manual of course)

  WRT VACL, Cisco says that the VACL, whereas it is more difficult to configure than SPAN, is the preferred method to send traffic to the IDSM2 "because it allows a subset of traffic must be copied and forwarded to the IDSM2, limiting the amount of traffic, it must treat and more also potentially allowing traffic to additional ports in the chassis to analyze.

  Given this information, it would seem that VACL (when properly set up and used) is more powerful and less stressful for the IDSM2 as SPAN.

  Alex Arndt

• ID and Dot1q

  Includes Dot1q IDS? If so, is there no configuration required on ID when sniffing several VLANS? Should the interface on the switch that connects on port sniffing IDS have Dot1q trunking configured?

  Thank you

  The sensor is able to interpret the 802. 1 q trunk headers to say what vlan the packet arrived and will report the number of vlan in the alert.

  This function of the sensor is always enabled, and no command is necessary.

  It is the switch port that would need to be configured as a 802. 1 q trunk port to send packets of trunk to the probe.

  For the "Promiscuous" mode, pass the port a trunk port is not enough. In addition, the switch must be configured to send traffic to the sensor using span (or VACL capture if it is a cat 6500).

  The expanded command can contain additional parameters to send packets with trunk headers.

  You will need to read manuals from your switch to determine which commands are necessary on your switch.

  For the online mode, the simplest scenario is to configure your 2 switches (or a switch and a router or a firewall etc..) to be linked together through a 802. 1 q trunk port.

  Once everything is working fine, then place your sensor between 2 switches in the Middle than 802. 1 q trunk port.

  The probe will analyze packets and pass them without modification. The header vlan packets would be crossed without modification, and the underlying IP packet would be fully analyzed.

• The switch configuration of 6500 catalyst for IPS Inline the METHOD works

  I understand how to configure the switch Catalyst 6500 so that the monitoring of ports are access ports in two VLAN separate operation online.

  However, I don't see any document that describes how the desired VLAN traffic gets forced through the IPS.

  "Promiscuous" mode, you can use copy/capture VACL and forwards traffic wished the METHOD of analysis. I don't see how to get traffic desired through the IPS.

  Note that the 6500 host is running native SXE IOS 12.2 (18).

  Thanks for any help.

  A transparent firewall is a pretty good comparison.

  Say you have vlan 10 with 100 PCs and 1 router for the network.

  If you want to apply a transparent firewall on this vlan you can put not just the Firewall interface on vlan 10. Nothing would go through the firewall.

  Instead, you need to create a new vlan, say 1010. Now you place the Firewall interface on vlan 10 and the other on the vlan 1010. Nothing is still going through the firewall. So now move you that router from vlan 10 to vlan 1010. Everything you do is to change the vlan, IP address and the mask of the router remain the same.

  The firewall transparent bridge vlan 10 and vlan 1010. The SCP on the vlan 10 ae is able to communicate and through the router, but must go through the transparent firewall to do.

  The firewall is transparent because there no IP Route between 2 VLANS, instead, the same IP subnet is on the VLAN and the transparent firewall ensuring the beidges between the 2 VLANS.

  The transparent firewall can do firewall between the SCP on the vlan 10 and the router on vlan 1010. But PC has vlan 10 talks for PC B on vlan 10, then the transparent firewall does not see and cannot block this traffic.

  An InLine sensor is very similar to the transparent firewall and will fill between the 2 VLANS. And similarly an InLine sensor is able to monitor InLine between PCs traffic on vlan 10 and the router on vlan 1010, but will not be able to monitor the traffic between 2 PCs on vlan 10.

  Now the PC on the other vlan and the router on a virtual LAN is a classic deployment for the sensors online, but your VLAN need not be divided in this way. You can choose to place some servers in one vlan and desktop to another vlan. You subdivide them VLAN to whatever the logical method for your deployment.

  Now for the surveillance of several VLANs the same principle still applies. You can't control traffic between machines on the same vlan. So for each the VLAN that you want to analyze, you will need to create a new vlan and divide the machines between the 2 VLANS.

  In your case with Native IOS, you are limited to only 1 pair of VLAN for InLine followed, but your desired deployment would require 20 pairs of vlan.

  The IPS 5.1 software now has the ability to manage the 20 pairs, but the native IOS software doesn't have the ability to send the 40 VLAN (20 pairs) to the JOINT-2.

  Changes in native IOS are in testing right now, but I have not heard a release date for these changes.

  Now cat BONES has already made these changes. So here is a breakdown of basic of what you could do in the BONE of cat and you can use to prepare for a deployment native IOS when it came out.

  For VLAN 10-20 and 300-310, you want monitored, you will need to break each of those VLANs in VLAN 2.

  Let's say that keep us it simple and add 500 to each vlan in order to create the new VLAN for each pair.

  Therefore, the following pairs:

  10/510, 511/11, 12/512, etc...

  300/800, 801/301, 302/802, etc...

  You configure the port to probe trunk all 40 VLAN:

  set the trunk 5/7 10-20 300-310 510-520 800-810

  (And then clear all other vlans off this trunk to clean things up)

  In the configuration of JOINT-2 create the 20 pairs of vlan inline on interface GigabitEthernet0/7

  NW on each of VLAN original 20 leave the default router for each LAN virtual vlan original to the vlan 500 +.

  At this point, you should be good to go. The JOINT-2 will not track traffic that remains inside each of the 20 VLAN original, but would monitor the traffic is routed in and out of each of the 20 VLAN.

  Due to a bug of switch, you may need to have an extra PC moved to the same vlan as the router if the switch/MSFC is used as the router and that you deploy with a JOINT-2.

• Preferred for controlling VLAN method captures on JOINT?

  Hi all

  We have recently added IDSM2s to our heart using VACL to capture traffic. How others control how VLANS can inspect the IDSMs? Now I put it in place where only some VLAN is mapped onto the VACL and allowed on the trunk. for example, VACL VLANs 1,2,3 card and enable the VLAN 1,2,3 on the trunk to the METHOD. Wouldn't be a bad idea to allow all the VLANS on the trunk and simply specify some VLAN on the VACL? Or vice versa, to map all the VLANS on the VACL and specify VLANS allowed on the trunk? All advice is appreciated.

  Thank you

  Ryan

  There is no preferred, way certainly either works just as well.

  I guess the issue I saw with leaving all VLANS on the trunk to the METHOD is that you actually get traffic broadcast and multicast on this trunk of VLAN that you aren't you capture VACL. Essentially of the broadcast and multicasts (and even without a CAM table entry associated with unicast MAC addresses) are transmitted in a switch on all ports in the VLAN, even of the trunks. If your VACL is followed only by VLAN 2 and 3, but the switch sees a show on VLAN 4 he passed on this trunk to the JOINT port because it is the nature of the transfer/flood package. For certain signatures (such as the sigs ARP-based), these same then leave alerts, so that you get alerts on VLAN 4, even if your VACL is specifying only VLAN 2 and 3. It doesn't happen very often, but it is important to be aware of this.

  If you go and remove all the VLANS in the trunk JOINT except those who are in your VACL then you will not see these broadcasts/multicasts from other VIRTUAL networks. This is your current configuration through your description and will work well for you.

• JOINT-2 basic configuration

  Hello

  I have some experience with sensors but this is my first time setting up a C6500 with JOINT-2, and I have a few questions of design. The first question is this: can I mix the VACL and large-scale use to capture traffic in the same configuration?

  Customer actually uses VACL to capture traffic of some machines, but he wants now to monitor all traffic from and external partner via a VPN concentrator, so I guess in this case I should use SPAN to monitor VPN port: I'm wrong?

  The config that the customer is more or less the following:

  detection of intrusion data 1-port module 1 module 1-port data 1 intrusion detection capture captures allowed - vlan 1 intrusion detection module 1 data port 2 capture allowed - vlan 1

  Plan ID to access VLAN 10

  corresponds to the ip address in

  direct capture of action

  Plan ID to access VLAN 20

  corresponds to the ip address to

  action forward

  VLAN ID vlan-list filter 1

  extended IP access list

  IP enable any host 192.168.1.1

  allow a host ip 192.168.1.1

  ...

  extended IP access list

  allow an ip

  If I want to use SCOPE, which is the limitation of the number of source ports I can put in the order to "monitor the session?"

  Should I send this "span" traffic detection interface 8 (data-port 2) or I can always send to the data port 1 (detection interface 7)?

  Why there are two sensing interfaces?

  Thanks in advance...

  Ruben

  First thing to understand is that the customer should not configure data 1 and data-port port 2 to see the same traffic.

  The sensor will get duplicate packets and minimize the overall performance of the detector (spending cpu just to throw duplicates) and at worst could cause false positive and negative or even false.

  So the first thing to do is to remove the capture set up configuration data-port 2, so only 1 data port is the packet capture.

  Now that the data port 2 is released until you can configure data ports 2 for something else.

  So if you want to use the span then Yes you can now configure data-port 2 as a destination span port

  Can mix you VACL and Span configurations?

  Yes, but not on the same data port. A data port can be a vacl capture port and the second data port a destination span port.

  However, you want to try to avoid as much as possible of the duplicate packets. So you will want to try and set it up so that traffic will be normally visible on the destination span port will not also view the vacl capture port (means generally change the VACL to not only capture the traffic).

  If you use Span to monitor VPN port?

  Duration is usually the best way to ensure you get all the packages in and out of a specific port. You will need to make sure that you use a port range (instead of a span of vlan) and make sure cover you the tx and rx traffic so that you get both in and out of traffic.

  Also make sure that the traffic that you are covering the traffic not encrypted and non encrypted traffic (which would be ignored by the sensor).

  What is the limitation on the number of source ports?

  I don't know, and I think he can differ depending on your version of IOS and the type of controller. So you must read the configuration for your cat guide 6K determine the limits of your specific switch.

  Should send you traffic to "merged" to 2 ports data or data port 1?

  A data port may not be as well a VACL Capture pore and a destination Span port. So if data-port 1 is configured for the VACL Capture then it cannot be a Span destination port. Configure a port as a VACL Capture port and the port other than the destination Span port.

  Why are there 2 remote sensing interfaces?

  To do similar things to what you ask. So, you can use 2 different surveillance techniques that would not be on a single port. Or to be able to make promiscuity on a port monitoring, while inline vlan pair monitoring IDE oucederomsurlesecondport. Or use 2 ports set inline interface pair followed.

• JOINT configuration in promiscuous mode?

  Hello

  I have two switch catalyst 6500 in VSS each with a JOINT module, I want to monitor four VLANS three of them is VLAN users and one of the servers, I'm planning use VACL to capture traffic.

  My first question is how to configure the data ports of JOINT in promiscuous mode, if in the configuration guide say that by default data ports are "Promiscuous" mode, which means that I can't do any configuration in the ports of JOINT data?

  Second, if I have two switches 6500 in vss each with a JOINT module, I need to examine other configurations of this situation?

  The VACL I'll put is:

  ACL_IPS extended IP access list

  allow an ip

  !

  VLAN-access plan VACL_IPS 10

  corresponds to the IP ACL_IPS

  action forward

  !

  VLAN filter VACL_IPS vlan-list of 30, 40, 50, 100

  !

  detection of intrusion switch 1 module 4-port data 1 capture allowed - vlan 30,40,50,100

  switch 1 capture of data-port 1 intrusion detection module 4

  1 switch intrusion detection module 4 data ports 1 autostate include

  !

  detection of intrusion switch 2 module 4-port data 1 capture allowed - vlan 30,40,50,100

  switch 2 capture of data-port 1 intrusion detection module 4

  2 switch intrusion detection module 4 data ports 1 autostate include

  Thanks for the help.

  The METHOD didn't need special orders to inspect the traffic in Promiscious mode.

  You'll want to put your JOINT management on a local VIRTUAL network interfaces to talk with them:

  detection of intrusion management access module 4-port - vlan 99

  Use the switch "transfer the capture:

  VLAN-access plan VACL_IPS 10

  corresponds to the IP ACL_IPS

  action before capture

  Get rid of the spaces between your numbers VLAN

  VLAN filter VACL_IPS vlan-list 30,40,50,100

  If you put two IDSMs in the same chassis, you will need to decide how to divide traffic between them. You can assign different VLAN to each METHOD.

  -Bob

• Configure 6513 JOINT and has no local SCOPE

  Hi, my version of IOS catalyst 6513 is 12.2 (18) SXF16 and 12.2 (33) SXI5, today I want to configure my JOINT module.

  Should I COVER my traffic vlan for the JOINT, right?

  commands like:

  monitor the session 4 source vlan 21

  monitor the data-port of destination 4 intrusion-detection-module 10 session 1

  But the switch tell me:

  Local % Session limit has been exceeded

  So, what should I do if I want my JOINT work.

  Thank you!

  Hello

  You satisfy VACL to pass traffic to the IDSM2. VACL capture allows you to specify a VLAN you would like to have the IDSM2 follow.

  So if you know what VLAN from the etherchannels, then you can include them in the VACL configuration

  For example:

  intrusion detection module 4-port data 1 capture allowed vlan 10-20, 40, 70

  Please find documentation to configure VACL 6500 switch:

  http://www.Cisco.com/en/us/docs/security/IPS/6.1/Configuration/Guide/CLI/cli_idsm2.html#wp1030767

  Hope that answers your query.

  Cyril Shankar

• Supported VLAN ID-4250 or IDS-4250XL?

  Hello

  I was reviewing for the purchase of an IDS solution. One of the major concerns I have is the ability to monitor several local networks VIRTUAL (Interfaces) and flow.

  I was looking through the IDS-4250 and IDS-4250XL specifications. the XL version has an output more than 4250. What got me confused, is that the XL version takes only an additional interface (1000Base-SX) while the standard version gives you the ability to both 1000Base-SX and 4port FE.

  Now, my question is, is it possible on the 2 special devices to configure the interface of surveillance to monitor multiple VIRTUAL local networks (with the help of a trunk), if all them VLANS are connected on a Switch? Unfortunately buying an IDS module for 6500 is out of the question since no available 6500 switch is currently available.

  The IDS-4250-TX-K9 (aka IDS-4250) is the basic frame which can be added a single PCI card (IDS-XL-INT =, IDS-4250-SX-INT =, IDS-4FE-INT =).

  If the IDS-XL-INT = (aka card XL) is added to the IDS 4250 sensor would then become an IDS-4250-XL-K9 (aka IDS-4250-XL).

  NOTE: The ID-4250-XL is not a chassis separated from the base, it is the same ID-4250-TX-K9 with the IDS-XL-INT = already installed by manufacturing.

  The XL card has 2 interfaces Gig of fiber with MTRJ fiber optic in SX type connectors.

  Map XL adds hardware acceleration to 2 interfaces Gig fiber (increases performance of 1 GB of capacity of monitoring).

  However, there is a limitation which, with interfaces to fiber XL only 2 XL adapter card can be used for monitoring.

  If the ID-4250-SX-INT = (aka card SX) is added to the IDS 4250 sensor would then become an IDS-4250-SX-K9 (aka IDS-4250-SX).

  The SX card has a single fiber interface Gig with SC connector for the SX interface.

  With the IDS 4250 SX users can sniff both interface SX of the card as well as the interface of TX Gig sniff on Board standard, which gives a total of 2 interfaces to sniff.

  If the ID-4FE-INT = (aka 4FE card) is added to the IDS 4250 then it was not a name of created specific sensor (although I usually call a 4FE-4250-IDS)

  The 4FE card has a 10/100 4 TX interfaces

  With the IDS-4250 so that a map 4FE, that user can sniff the two interfaces TX 4 10/100 card as well as the interface of TX Gig sniff standard onboard which gives a total of 5 sniffing interfaces.

  NOTE: ONE of the 3 PCI cards can be placed in the ID-4250. The IDS 4250 has 2 PCI slots, BUT Cisco CAN'T stand that place a card in ONE of the 2 slots. If users cannot set 2 cards XL or 2 cards SX, or 2 cards 4FE, a mixture of 2 different types of cards. (This may change in a future release).

  If a breakdown quick of what I said:

  ID-4250-TX-K9:

  1 gig TX interface

  500 Mbps performance

  IDS-4250-TX-K9 + ID - 4FE - INT =:

  1 TX interface + 4 gig interfaces FE TX

  500 Mbps performance

  IDS-4250-TX-K9 ID - 4250 - SX - INT PLUS:

  (ID-4250-SX-K9)

  1 gig TX + 1 Gig SX interface (SC connector) interface

  500 Mbps performance

  IDS-4250-TX-K9 + IDS-XL-INT: =

  (ID-4250-XL-K9)

  2 interfaces gig SX with hardware acceleration (MTRJ connectors)

  1 Gbps performance

  NOTE: Performance is not a port, but it is rather total performance of the chassis when the combination to pronounce on all ports to sniff.

  As for the question on the circuits.

  ID software supports 802. 1 q trunk monitoring on ALL interfaces. You don't have to worry about buying a particular sensor for links model.

  You must determine your model of sensor (and additional PCI card) performance-based physical connection and sensor required:

  How to:

  On the switch itself hard code the port as a 802. 1 q trunk port and force the sheath to be turned on. (This must be hardcoded on the switch because there is no trading e-mail with the sensor).

  In the BONE of CAT on the 6500 switch, an example would be:

  define trunk 6/1 on dot1q

  Now set up the trunk single trunk port them VLAN you are interested the surveillance.

  In the BONE of CAT on the 6500 switch, an example would be:

  set of 6/1 master 1-100

  Disable the trunk 6/1 101-1005, 1025-4094

  Now, you need to use SPAN or capture VACL to send packets on the trunk port.

  In the BONE of CAT on the 6500 switch, an example would be:

  set of spans 1-100 6/1

  NOTE: Configure the port as a trunk port is not enough to get the packets sent to the sensor. You must always use SPAN or capture VACL on top of the trunk port to get the packages at the monitoring sensor.

  If you do not the 6500 then, of course, the controls on your switch may be different. And in some cases the above commands can be gathered in a single command on your switch so see your switch documentation' are.

• TCPdump based on detection of interfaces for IDSM2

  When we deploy new IDSM2 blades in various places, we need to ensure that the interfaces of remote sensing have sufficient visibility in social safety nets. To do this, we (security group) depend on the network administrators to configure SPAN, RSPAN, VACL, etc.. Sometimes the initial Setup is done well, but when major changes are made to the switch, the SPAN/VACL config is lost due to human error. Thus, tcpdump is very necessary to ensure that SPAN/RSPAN/VACL etc. as the case may be set up correctly. Another reason I can think of is when the one-way traffic is stride detection IDSM2, not bidirectional interface.

  We can use tcpdump on devices by stopping the CIDS ' stop /etc/init.d/cids ' first. Is there a work around to run tcpdump on the IDSM2? What interface linux eth? int7 and int8 correspond to?

  Let me know, thanks.

  Try to use 'tcpdump - r' where is the name of the output file to falcondump. -r is an option "read from file" tcpdump.

  Falcondump is expected to produce a file "falcondump.pcap" by default; you would feed this file tcpdump with the - r option.

  For a detailed analysis, we use Ethereal on a different workstation.

  SC

• I have only a single ID and would like to know if its possible to monitor all the VLANS.

  With only one ID I I want to know if it is possible to monitor all my VLAN in the network. I use version 4 ID and VMS MC 1.1.

  If I have to set my internal addresses and those which I define as internal are considered as approved, in the case that I have configure a port in my central switch to monitor all the VLANS in my network and connect the ID to the destination monitor port to sniff all the VLAN, VLAN which I consider as an intern?

  Also, I have switches catalyst 6006 and 6509 with version 5.1 (3) and 12.1 in each case, can I apply for fleeing to take acctions when an attack is detected?

  Is it possible this configuration?

  Thanks for any help-

  I don't know if the ID is used to detect the specific activity you mentioned. You would need to go through our list of signatures to see if it's possible. You can even submit a new assignment and ask this question again.

  As for the actions.

  Cat OS 5.3 should allow you to be able to inject a TCP Reset packets through a span port (requires the parameter enable inpackets).

  In regards to the blocking with Cat OS 5.3, I don't think that this version supports the VACL. You may need to upgrade the version of the OS to chat if you want to block with VACL, and you also need a PFC and an MSFC on the supervisor.

  NOTE: If you have an MSFC making routing you may also block with the traditional router ACL on the MSFC.

  On the IOS running native 6509 (where IOS instead of the traditional CatOS runs on the prime contractor), there may be a problem with TCP resets. I don't know if the port of the monitor (equivalent IOS native span port) will allow the incoming TCP resets. You need to browse the documentation.

  Some versions of native IOS (I think that what you have newer versions) will also allow you to monitor through the capture of Vlan ACLS feature. If the sensor is followed by a VACL Capture port instead of a port monitor then I think that the TCP reset works OK, but I have not tested.

  With native IOS the sensor supports router blocking with the traditional ACL, it does not support blocking with Vlan ACL in native IOS.

  NOTE: The difference between router ACL and Vlan ACL is the Vlan ACL is applied to the vlan and applies to all packages comining and at the exit of the Vlan. While the router ACL is actually applied to the INTERFACE of the Vlan where an IP address has been assigned and only applies to packets routed in or off the Vlan.

  NOTE: Native IOS requires that the master has an MSFC even load the image.

• IDSM2 ONLY of management options

  We get a few strands of IDSM2, which would be managed by the security group all in the 6500 s themselves are managed by the network group. How we can configure the system so that the security group gets all privileges for the IDSM2 management while not enough privileges to change change the config? Similarly, the network group has all the privileges, but for the management of the IDSM2. I don't know there are other organizations that would have faced a similar problem.

  I am told that we have a proper privilege level (enable level) to the security group who manage the IDSM2. In this way, they can telnet to the switch, gain enable privileges but not enough of an existing one to modify the configuration of the switch. It would be useful if someone can provide some tips or pointers in the right direction.

  There are 2 primary sets of configuration that needs to be addressed when setting up the IDSM2.

  (1) the configuration of the switch. The part of the configuration of the switch, which implies the IDSM2 is:

  (a) Configuration of vlan for the port command and control for the IDSM2

  (b) configure the VLAN being to shared resources on monitoring IDSM2 ports

  (c) configuration either span or VACL capture to send packets to the IDSM2

  (d) time on the switch setting (default byt the IDSM2 synchronizes its time to switch, but the IDSM2 can also be configured to synchronize with an NTP server instead)

  (e) the automatic configuration of the VACL by CNA (NetworkAccessController) - this is optional and would actually be the configuration of the switch to a process on the IDSM2 combing

  a, b, c and d can often be made by the network group. These configurations are often static and does not require changes from day to day.

  e is optional and would in fact directly from the IDSM2

  (2) Configuring IDSM2. Configuring IDSM2 is roughly the same as on the stand-alone devices. You configure the actions of gravity etc. in IDSM2 configuration.

  The network team must rarely ever change the configuration directly on the IDSM2.

  In addition to the configurations, the only other things would switch commands that control the map.

  -Reset, turn off etc... -they are rarely (resets can make the IDSM2 or the switch cli)

  -the IDSM2 session - usually only required for first initialization of the map, after the initialization of the user can ssh directly to the cli of IDSM2 and I do not go through the switch cli (Note: sessioning at the IDSM2 requires a user name and password configured directly on the IDSM2 unrelated to user names and passwords on the switch)

  -Redefinition of the IDSM2 in case of disaster recovery - standard upgrades are performed directly in the CLI IDSM2, but disaster recovery the IDSM2 should be started on a partition of maintenance by a switch cli commmand - sort of disaster recovery requires access to the switch cli.

  Given the separation of configuration from day to day changes in the switch and the IDSM2 configurations that many groups elect only simply allow the network group to have access to the switch cli, and the security group has access to the cli IDSM2.

  For the configuration of IDSM2 initialization and for the implementation of the specific to the IDSM2 switch configuration 2 teams simply work together for a day or two to get it all up and running.

  Once the IDSM2 is running, so it is very rare that the security team needs direct access to the switch.

  The other alternative is to only allow the security team access to the cli IDSM2 and then use Ganymede + on the switch to limit the available commands for the security on the switch cli team.

  I think that can use authentication and authorization capabilities integrated with GANYMEDE + to achieve this. I have never done this and don't know how it would be easy Setup.

  For more information on the authorization of switch control, you can refer to:

  http://www.Cisco.com/univercd/CC/TD/doc/product/LAN/cat6000/sw_8_1/confg_gd/authent.htm#1021706

  If you do this, the security team must then leave to what I mentioned above.