Well you have to create another vlan besides VLAN 3, say VLAN 33. Then bridge VLAN 33 and VLAN 3.
The FWSM outside inteface will remain in VLAN 3. The next hop device 'Outside' the FWSM will be in VLAN 33.
Since the servers on the outside of FWSM are on VLAN 3 I would'nt want to move them out to a different VLAN i.e. 33.
So isn't it possible to have all the servers connected to VLAN 3 i.e. FWSM outside as well and create a logical VLAN 33 and bridge it via IDSM. However, traffic won't pass VLAN 33 despite the bridge. Will the IDSM inspection work in this scenario.
If you have servers 'outside' the FWSM. Just let all the servers be in the same VLAN. And change the VLAN SVI on FWSM from 3 to 33. This way you need to make only one change on the FWSM configuration. Then bridge that in the IDSM. Make sure you allow the correct VLANs on the FWSM internal etherchannel trunk tough (on the Host 6500 Series Switch).
You can do this for testing. However in production its a best-practice to only allow those VLANS on the IDSM/FWSM that are services by the modules. Allowing all trunks unnecessarily increases (broadcast) traffic on the modules, which already have limited throughput.
In reference to your reply, could you please explain what do you mean by 'only allow those VLANS on the IDSM/FWSM that are services by the modules'. I didn't get this part. On the ethernet module, lets say there are 20 vlans. Shouldn't all those 20 vlans be allowed to pass the trunk between two Cat6500 switches.
That is meant to 'reduce' the flooding (Broadcast etc.) and better utilization of the modules throughput. If a particular VLAN is not meant to be filtered/scanned using IDSM/FWSM, filter it out from the trunk. This is true for any trunk.
Please specify which trunk are you refering to here. Is it the trunk between the Cat 6500 switches. If so, then how can I segregate FWSM/IDSM vlans from the vlans trunked between Cat6500.
Internally the modules are trunked to the Cat6k switch. What vlans go to this trunk are controlled via the 'intrustion-detecion' command. This is the 'show interface trunk' output from a switch having IDSM modules in slots 5 and 6 (with intra-chassis redundancy):
Po5 on 802.1q trunking 1
Po6 on 802.1q trunking 1
Port Vlans allowed on trunk
In my case, I have all the VLANs on the same trunk. But why do IDSM VLANs need to be trunked since IDSM failover is dependent on the FWSM failover. Hence IDSM can not be active on one switch while the FWSM is active on the other. Am I right ?
Is a configuration required for intra-chassis trunk.
Yes you are correct. The IDSM that is active is dependant on the FWSM's active status. For intra-chassis failover (requiring two or more IDSM-2 blades) you need to group the data ports of the different blades into ether channel groups. I can give you commands for that incase you need them.
When you use Inline VLAN Pair mode on the IDSM-2, the 'logical' interfaces connecting IDSM-2 to the core switch behave as trunks, to facilitate the multiple sub-interfaces (VLAN Pairs). These interfaces are Gig x/7 and Gig x/8. Where 'x' is the module number.
So if I had two IDSM in slot 6 & 7, would the following ports be part of the same trunk after necessary configuration is done.
Gig 6/7, Gid 6/8, Gig 7/7, Gig 7/8
Another query related to traffic scanned by IDSM. Within AIP-SSM there is a facility to select traffic via access-list. Is there anything similar in IDSM. I would like to inspect selected traffic (one-way only) via IDSM.
Gig 6/7 and 7/7 will part of the same etherchannel 'group' and ports 6/8 and 7/8 will be part of the another etherchannel 'group'.
The switch will use src-dst-ip based hashing to load balance between the two IDSM(s).
You can use the vlan capture method to send selective traffic in a similar way I guess.
But the IPS will no longer be 'inline' it will be in promiscuous mode.