Cisco Catalyst 6500 Series Installation Manual page 93

Chapter 1 Product Overview
The Intrusion Detection System Module captures network packets, and then
reassembles and compares this data against a set of rules that indicates typical
intrusion activity. Network traffic is copied either to the Intrusion Detection
System Module based on security VLAN access control lists (VACLs) in the
switch or is routed to the Intrusion Detection System Module using the switch's
Switched Port Analyzer (SPAN) port feature. Both methods allow user-specified
types of traffic that are based on switch ports, VLANs, or traffic type to be
inspected.
The Intrusion Detection System Module searches for patterns of misuse by
examining either the data portion or the header portion of network packets.
Content-based attacks come from the data portion, and context-based attacks
come from the header portion.
When the Intrusion Detection System Module detects an attack, it generates an
alarm. Alarms are generated by the Intrusion Detection System Module through
the Catalyst 6500 series switch backplane to the Cisco Secure PM, where they are
logged or displayed on a graphical user interface. Alarm communication is
handled by the Cisco Secure IDS Communication service protocol, a proprietary
protocol that transmits alarms from the Intrusion Detection System Module to the
Cisco Secure PM.
The front panel has a STATUS LED, a hard drive LED, a SHUTDOWN button,
and a PCMCIA slot as shown in
Figure 1-45 Intrusion Detection System Module (WS-X6381-IDS)
STATUS LED
Table 1-16
by the STATUS LED.
78-15725-02
WS-X6380-NAM
NTWK ANALYSIS HDL
SHUTDOWN button Hard drive
describes the Intrusion Detection System Module states as indicated
Intrusion Detection System Module (WS-X6381-IDS)
Figure 1-45.
For Vendor Use Only
SHUTDOWN
(HD) LED
Catalyst 6500 Series Switch Module Installation Guide
SLOT
1
0
EJECT
PCMCIA
HD
PCMCIA slot
1-69