cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
652
Views
10
Helpful
28
Replies

Re: How can IDSM monitor FWSM interface

Well you have to create another vlan besides VLAN 3, say VLAN 33. Then bridge VLAN 33 and VLAN 3.

The FWSM outside inteface will remain in VLAN 3. The next hop device 'Outside' the FWSM will be in VLAN 33.

Regards

Farrukh

Beginner

Re: How can IDSM monitor FWSM interface

Since the servers on the outside of FWSM are on VLAN 3 I would'nt want to move them out to a different VLAN i.e. 33.

So isn't it possible to have all the servers connected to VLAN 3 i.e. FWSM outside as well and create a logical VLAN 33 and bridge it via IDSM. However, traffic won't pass VLAN 33 despite the bridge. Will the IDSM inspection work in this scenario.

Thanks

Re: How can IDSM monitor FWSM interface

If you have servers 'outside' the FWSM. Just let all the servers be in the same VLAN. And change the VLAN SVI on FWSM from 3 to 33. This way you need to make only one change on the FWSM configuration. Then bridge that in the IDSM. Make sure you allow the correct VLANs on the FWSM internal etherchannel trunk tough (on the Host 6500 Series Switch).

Regards

Farrukh

Beginner

Re: How can IDSM monitor FWSM interface

I have included all the vlans in the trunk so it should be ok I believe.

Thanks.

Re: How can IDSM monitor FWSM interface

You can do this for testing. However in production its a best-practice to only allow those VLANS on the IDSM/FWSM that are services by the modules. Allowing all trunks unnecessarily increases (broadcast) traffic on the modules, which already have limited throughput.

Regards

Farrukh

Beginner

Re: How can IDSM monitor FWSM interface

Farrukh,

In reference to your reply, could you please explain what do you mean by 'only allow those VLANS on the IDSM/FWSM that are services by the modules'. I didn't get this part. On the ethernet module, lets say there are 20 vlans. Shouldn't all those 20 vlans be allowed to pass the trunk between two Cat6500 switches.

Thanks.

Re: How can IDSM monitor FWSM interface

That is meant to 'reduce' the flooding (Broadcast etc.) and better utilization of the modules throughput. If a particular VLAN is not meant to be filtered/scanned using IDSM/FWSM, filter it out from the trunk. This is true for any trunk.

Regards

Farrukh

Highlighted
Beginner

Re: How can IDSM monitor FWSM interface

Hi,

Please specify which trunk are you refering to here. Is it the trunk between the Cat 6500 switches. If so, then how can I segregate FWSM/IDSM vlans from the vlans trunked between Cat6500.

Re: How can IDSM monitor FWSM interface

Internally the modules are trunked to the Cat6k switch. What vlans go to this trunk are controlled via the 'intrustion-detecion' command. This is the 'show interface trunk' output from a switch having IDSM modules in slots 5 and 6 (with intra-chassis redundancy):

Po5 on 802.1q trunking 1

Po6 on 802.1q trunking 1

.....

Port Vlans allowed on trunk

Po5 100-105

Po6 170,180

Regards

Farrukh

Beginner

Re: How can IDSM monitor FWSM interface

Do you mean a logical trunk on IDSM.

Beginner

Re: How can IDSM monitor FWSM interface

In my case, I have all the VLANs on the same trunk. But why do IDSM VLANs need to be trunked since IDSM failover is dependent on the FWSM failover. Hence IDSM can not be active on one switch while the FWSM is active on the other. Am I right ?

Is a configuration required for intra-chassis trunk.

Re: How can IDSM monitor FWSM interface

Yes you are correct. The IDSM that is active is dependant on the FWSM's active status. For intra-chassis failover (requiring two or more IDSM-2 blades) you need to group the data ports of the different blades into ether channel groups. I can give you commands for that incase you need them.

When you use Inline VLAN Pair mode on the IDSM-2, the 'logical' interfaces connecting IDSM-2 to the core switch behave as trunks, to facilitate the multiple sub-interfaces (VLAN Pairs). These interfaces are Gig x/7 and Gig x/8. Where 'x' is the module number.

Regards

Farrukh

Beginner

Re: How can IDSM monitor FWSM interface

So if I had two IDSM in slot 6 & 7, would the following ports be part of the same trunk after necessary configuration is done.

Gig 6/7, Gid 6/8, Gig 7/7, Gig 7/8

Another query related to traffic scanned by IDSM. Within AIP-SSM there is a facility to select traffic via access-list. Is there anything similar in IDSM. I would like to inspect selected traffic (one-way only) via IDSM.

Regards

Re: How can IDSM monitor FWSM interface

Gig 6/7 and 7/7 will part of the same etherchannel 'group' and ports 6/8 and 7/8 will be part of the another etherchannel 'group'.

The switch will use src-dst-ip based hashing to load balance between the two IDSM(s).

You can use the vlan capture method to send selective traffic in a similar way I guess.

But the IPS will no longer be 'inline' it will be in promiscuous mode.

Regards

Farrukh

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards