https://community.cisco.com/t5/network-security/idsm-traffic-exclusion/m-p/1455586#M67529 <HTML><HEAD></HEAD><BODY><P>Hi Omair,</P><P></P><P>Not sure, I understand.&nbsp; I did discuss the second map statement:</P><P></P><P>The traffic to 10.1.1.1 will not match this clause and so it won't be captured but will match the next clause and be forwarded.&nbsp; Of course, your second access-list could have been "10 permit ip any any" and it would work since all that should make it to this clause is traffic to 10.1.1.1.&nbsp; Assuming everything else is correct in your configuration, it should work.</P><P></P><P>I am referring to each vlan map statement as "clause".&nbsp; So, you did this right...the single host traffic won't match the first clause (vlan map) and will proceed to the next clause (vlan map statement).&nbsp; I don't see a problem with your configuration except, the missing "ip" in the access-list.</P><P></P><P>Does that make sense?</P><P></P><P>Regards,</P><P></P><P>RA</P></BODY></HTML> Mon, 03 May 2010 16:58:55 GMT Ronald Anthony 2010-05-03T16:58:55Z https://community.cisco.com/t5/network-security/idsm-traffic-exclusion/m-p/1455583#M67524 <P>Is it possible to exclude traffic which be default goes to IDSM. I have following scenario:</P><P></P><P>LAN--&gt;IDSM-&gt;FWSM--&gt;Server VLAN</P><P></P><P>IDSM and FWSM are in one single chassis and all the traffic coming from LAN is captured and forwarded to IDSM before it hits FWSM. I need to exclude some traffic that should not get captured and gets forwarded to IDSM but should hit FWSM directly.</P><P></P><P>Following configuration exist currently:</P><P></P><P>vlan access-map idsm-map 10</P><P>match ip address idsm-acl</P><P>action forward captured</P><P></P><P>access-list ext idsm-acl</P><P>10 permit ip any any</P><P></P><P>I was thinking of doing following for exclusion:</P><P></P><P>vlan access-map idsm-map 10</P><P>match ip address idsm-acl</P><P>action forward captured</P><P></P><P>vlan access-map idsm-map 20</P><P>match ip address idsm-acl-1</P><P>action forward</P><P></P><P>access-list ext idsm-acl</P><P>1 deny any host 10.1.1.1</P><P>10 permit ip any any</P><P></P><P>access-list ext idsm-acl-1</P><P>10 permit ip any host 10.1.1.1</P><P></P><P>Will later configuration stop any traffic for destination 10.1.1.1 bypass IDSM or is there any other way aroud to achieve this on IDSM itself.</P><P></P><P>Later</P><P>Omair</P> Sun, 10 Mar 2019 11:58:41 GMT https://community.cisco.com/t5/network-security/idsm-traffic-exclusion/m-p/1455583#M67524 oqureshi 2019-03-10T11:58:41Z https://community.cisco.com/t5/network-security/idsm-traffic-exclusion/m-p/1455584#M67526 <HTML><HEAD></HEAD><BODY><P>Hi Omair,</P><P></P><P>I think you are going about this the correct way.&nbsp; You don't want to send traffic to the IDSM that is not intended to go through the IDSM.&nbsp; What you describes sounds good...you will just have to add "ip" to your access-list statement:</P><P></P><P>access-list ext idsm-acl</P><P>1 deny any host 10.1.1.1&nbsp; --should be 1 deny ip any host 10.1.1.1</P><P>10 permit ip any any</P><P></P><P>The traffic to 10.1.1.1 will not match this clause and so it won't be captured but will match the next clause and be forwarded.&nbsp; Of course, your second access-list could have been "10 permit ip any any" and it would work since all that should make it to this clause is traffic to 10.1.1.1.&nbsp; Assuming everything else is correct in your configuration, it should work.</P><P></P><P>Regards,</P><P></P><P>RA</P></BODY></HTML> Fri, 30 Apr 2010 19:59:15 GMT https://community.cisco.com/t5/network-security/idsm-traffic-exclusion/m-p/1455584#M67526 Ronald Anthony 2010-04-30T19:59:15Z https://community.cisco.com/t5/network-security/idsm-traffic-exclusion/m-p/1455585#M67527 <HTML><HEAD></HEAD><BODY><P>I little confuse from your reply as you didnt say anything about second vlan map, below is the final configs that I understand might be correct, please correct me if I am wrong</P><P></P><P>vlan access-map idsm-map 10</P><P>match ip address idsm-acl</P><P>action forward captured</P><P></P><P>vlan access-map idsm-map 20</P><P>match ip address idsm-acl-1</P><P>action forward</P><P></P><P>access-list ext idsm-acl</P><P>1 deny ip any host 10.1.1.1</P><P>10 permit ip any any</P><P></P><P>access-list ext idsm-acl-1</P><P>10 permit ip any host 10.1.1.1</P></BODY></HTML> Sat, 01 May 2010 09:03:20 GMT https://community.cisco.com/t5/network-security/idsm-traffic-exclusion/m-p/1455585#M67527 oqureshi 2010-05-01T09:03:20Z https://community.cisco.com/t5/network-security/idsm-traffic-exclusion/m-p/1455586#M67529 <HTML><HEAD></HEAD><BODY><P>Hi Omair,</P><P></P><P>Not sure, I understand.&nbsp; I did discuss the second map statement:</P><P></P><P>The traffic to 10.1.1.1 will not match this clause and so it won't be captured but will match the next clause and be forwarded.&nbsp; Of course, your second access-list could have been "10 permit ip any any" and it would work since all that should make it to this clause is traffic to 10.1.1.1.&nbsp; Assuming everything else is correct in your configuration, it should work.</P><P></P><P>I am referring to each vlan map statement as "clause".&nbsp; So, you did this right...the single host traffic won't match the first clause (vlan map) and will proceed to the next clause (vlan map statement).&nbsp; I don't see a problem with your configuration except, the missing "ip" in the access-list.</P><P></P><P>Does that make sense?</P><P></P><P>Regards,</P><P></P><P>RA</P></BODY></HTML> Mon, 03 May 2010 16:58:55 GMT https://community.cisco.com/t5/network-security/idsm-traffic-exclusion/m-p/1455586#M67529 Ronald Anthony 2010-05-03T16:58:55Z