Re: Changing from Promiscuous mode to In-Line mode

t.clark · ‎08-13-2007

I want to put the ISDM "in-line" between my internet edge router and my firewall (FWSM which is in the same chassis as the IDSM). In order to have traffic flow from the internet edge router into the IDSM, then out of the IDSM to the FWSM, I will need to set the IDSM interfaces in the appropriate VLANs. I cannot find the procedure for doing this in the documentation.

cmarsteller · ‎08-17-2007

Hope this helps. We run ECLB with inline vlan pair mode. Heres a link to the manual and a link to my orginally posted question, that I figured out.

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df92.html#wp1051502

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Intrusion%20Prevention%20Systems/IDS&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddf32c9

mherald · ‎08-20-2007

There is very little real documentation (that I have found) that covers this real well.

What I have found to work, think of it this way. Use two separate VLANs, VLAN 10 and VLAN 11 for example. Use the same IP address range over these two VLANs. Put the router in VLAN 10 and the firewall interface in VLAN 11 (or vice versa).

Then configure the IDSM two utilize the two VLANs as a VLAN pair. The only way those two interfaces can communicate (as they are on separate VLANs) is through the IPS module. The IPS module will bridge the two speparate VLANs with the Virtual Sensor Interface.

If there are hosts in the same VLAN, that will not traverse the IPS, but if the interfaces are in separate VLANS 10 and 11 in this example, they will traverse the IPS or any traffic that traverses this connection.

I hope this helps,

Mike

mherald · ‎08-20-2007

The idea above works in general, but there is a bit of a difference with hybrid vs IOS configurations.

The above post works for hybrid fairly well.

With IOS, there are some intrusion commands (3 or 4 of them) that are pretty self explainitory.

I dont have access to either chassis right now to send you a working Cat config.