Since the servers on the outside of FWSM are on VLAN 3 I would'nt want to move them out to a different VLAN i.e. 33.

So isn't it possible to have all the servers connected to VLAN 3 i.e. FWSM outside as well and create a logical VLAN 33 and bridge it via IDSM. However, traffic won't pass VLAN 33 despite the bridge. Will the IDSM inspection work in this scenario.

Thanks

I have included all the vlans in the trunk so it should be ok I believe.

Thanks.

You can do this for testing. However in production its a best-practice to only allow those VLANS on the IDSM/FWSM that are services by the modules. Allowing all trunks unnecessarily increases (broadcast) traffic on the modules, which already have limited throughput.

Regards

Farrukh

Farrukh,

In reference to your reply, could you please explain what do you mean by 'only allow those VLANS on the IDSM/FWSM that are services by the modules'. I didn't get this part. On the ethernet module, lets say there are 20 vlans. Shouldn't all those 20 vlans be allowed to pass the trunk between two Cat6500 switches.

Thanks.

That is meant to 'reduce' the flooding (Broadcast etc.) and better utilization of the modules throughput. If a particular VLAN is not meant to be filtered/scanned using IDSM/FWSM, filter it out from the trunk. This is true for any trunk.

Regards

Farrukh

Hi,

Please specify which trunk are you refering to here. Is it the trunk between the Cat 6500 switches. If so, then how can I segregate FWSM/IDSM vlans from the vlans trunked between Cat6500.

Internally the modules are trunked to the Cat6k switch. What vlans go to this trunk are controlled via the 'intrustion-detecion' command. This is the 'show interface trunk' output from a switch having IDSM modules in slots 5 and 6 (with intra-chassis redundancy):

Po5 on 802.1q trunking 1

Po6 on 802.1q trunking 1

.....

Port Vlans allowed on trunk

Po5 100-105

Po6 170,180

Regards

Farrukh

Do you mean a logical trunk on IDSM.

In my case, I have all the VLANs on the same trunk. But why do IDSM VLANs need to be trunked since IDSM failover is dependent on the FWSM failover. Hence IDSM can not be active on one switch while the FWSM is active on the other. Am I right ?

Is a configuration required for intra-chassis trunk.

Yes you are correct. The IDSM that is active is dependant on the FWSM's active status. For intra-chassis failover (requiring two or more IDSM-2 blades) you need to group the data ports of the different blades into ether channel groups. I can give you commands for that incase you need them.

When you use Inline VLAN Pair mode on the IDSM-2, the 'logical' interfaces connecting IDSM-2 to the core switch behave as trunks, to facilitate the multiple sub-interfaces (VLAN Pairs). These interfaces are Gig x/7 and Gig x/8. Where 'x' is the module number.

Regards

Farrukh

So if I had two IDSM in slot 6 & 7, would the following ports be part of the same trunk after necessary configuration is done.

Gig 6/7, Gid 6/8, Gig 7/7, Gig 7/8

Another query related to traffic scanned by IDSM. Within AIP-SSM there is a facility to select traffic via access-list. Is there anything similar in IDSM. I would like to inspect selected traffic (one-way only) via IDSM.

Regards

Gig 6/7 and 7/7 will part of the same etherchannel 'group' and ports 6/8 and 7/8 will be part of the another etherchannel 'group'.

The switch will use src-dst-ip based hashing to load balance between the two IDSM(s).

You can use the vlan capture method to send selective traffic in a similar way I guess.

But the IPS will no longer be 'inline' it will be in promiscuous mode.

Regards

Farrukh