Home > Articles > Cisco Network Technology > General Networking > Capturing Network Traffic for the Catalyst 6000 IDS Module

Capturing Network Traffic for the Catalyst 6000 IDS Module


  1. SPAN Port Feature
  2. VACL Feature
  3. Summary

Article Description

Cisco IDS incorporates intrusion-detection capability directly into your infrastructure through the Catalyst 6000 Intrusion Detection System (IDS) Module. Using multiple IDS Modules in a single catalyst 6000 family switch enables you to process multiple 100MB traffic streams, as discussed in this article by Earl Carter.

The Catalyst 6000 IDS Module is an actual line card that you install in your Catalyst 6000 family switch. This 100Mb Cisco IDS sensor utilizes a monitoring port that captures traffic directly off of the switch's backplane. You must, however, configure your Catalyst 6000 family switch to send the appropriate network traffic to this monitoring port. When deciding how you plan to capture network traffic, you have a choice between two options:

  • Switched Port Analyzer (SPAN) ports
  • Virtual LAN (VLAN) access control lists (ACL) or VACLs

Each of these techniques enables you to pass network traffic to your IDS Module for analysis. The VACL feature, however, provides a much more robust capability to specify the type of traffic that will be passed to your IDS Module. We will examine each of the options separately, beginning with the SPAN port feature.

SPAN Port Feature

To configure Switched Port Analyzer (SPAN) ports, you need to use the set span switch command. The format for this command is as follows:

set span src_mod/src_ports | src_vlan dest_mod/dest_port tx | rx | both

Using the set span command, you can configure your switch to direct traffic from either specific ports or from a specific VLAN to a specific destination port. The destination port will be the monitoring port on your Catalyst 6000 IDS Module. Besides limiting the traffic to specific ports or a specific VLAN, you also have the option of limiting traffic based on the direction that the traffic is flowing. Your traffic direction options are the following:

  • tx—Capture only traffic coming from specified source
  • rx—Capture only traffic going to a specified source
  • both—Capture traffic going to and from the source

Suppose you install your Catalyst 6000 IDSM into the fifth slot on your Catalyst chassis. Port 1 on your IDSM is the monitoring port, and port 2 is the command and control port. Therefore, if you want the IDSM to examine all of the network traffic to and from VLAN 150, the command would be the following:

set span 150 5/1 both

One of the drawbacks of using SPAN with the both parameter, however, is that the same packet can potentially be sent to your monitoring port twice—once when it leaves a port, and once when it enters another port. This can cause problems with certain signatures. Whether the SPAN port will receive two packets is dependant on the type of supervisor engine installed on your Catalyst 6000 family switch.

Each time that you create a SPAN port, you associate either a source port or VLAN with a destination port. This association is known as a SPAN session. The number of SPAN sessions available is very limited: You can have a total of only six SPAN sessions. Of these six, four can be tx (transmit), and the remaining two can be either rx (receive) or both (transmit and receive). The limited number of SPAN sessions available is a major drawback to utilizing SPAN ports to capture your network traffic.

2. VACL Feature | Next Section