08-30-2008 09:24 AM - edited 03-10-2019 04:16 AM
hi,
Three vlans have been assigned to the FWSM i.e. 2 (outside), 3 (DMZ) and 4 (inside).
Now, I would like to perform an inline interface mode monitoring on the traffic coming into FWSM inside interface.
As the FWSM inside interface is logical, how can I configure IDSM to monitor it.
Rgds
Solved! Go to Solution.
08-31-2008 06:32 AM
Yes the IDSM will BRIDGE the two vlans, there will be no ROUTING here as both VLANS will be in same subnet
You will assign the sub-inteface 1 you created to the vs0 (virtual sensor). For each new sub-inteface you add (to a physical interface) you need to go and that to the virtual sensor.
Just use the GUI, it will make it all very intuitive.
Regards
Farrukh
11-22-2008 03:27 AM
If you have servers 'outside' the FWSM. Just let all the servers be in the same VLAN. And change the VLAN SVI on FWSM from 3 to 33. This way you need to make only one change on the FWSM configuration. Then bridge that in the IDSM. Make sure you allow the correct VLANs on the FWSM internal etherchannel trunk tough (on the Host 6500 Series Switch).
Regards
Farrukh
08-30-2008 10:23 AM
Basically you will create a separate VLAN for the user/servers connected ports say 150. And you will create a corresponding logical interface on the FWSM say int vlan 750.
Then the IDSM will BRIDGE between these two vlans, both VLANS will be sharing the same subnet.
Please have a look at this post for more details:
Please rate the post if you find it helpful.
Regards
Farrukh
08-30-2008 11:53 AM
So in my example, if I need to monitor the inside interface say VLAN2 on the FWSM which has servers connected to it via the ethernet module, what will be the inline interface mode configuration like.
1. Will I have to designate the data ports on the cat6500 such as
router(config)# intrusion-detection module 13 data-port 1 access-vlan 661
router(config)# intrusion-detection module 13 data-port 2 access-vlan 662
What does the above commands really do ?
2. Will I have to define vlan access-map with vlan filter
3. Can I configure to just inspect the traffic once and only on one interface (i.e. inside).
Please provide an example with VLAN2 as the inside interface of FWSM to switch servers are connected. Is inline interface mode prefered over inline VLAN mode
Thanks.
08-30-2008 12:12 PM
My discussion was assuming you were going to use the 'Inline VLAN Pair' mode and not the 'Inline Interface Pair'.
Here is an example of the latter:
To answer your questions:
1) Yes in 'Inline Interface Pair' you have to use two interfaces on the sensor/IDSM. This is not really recommended for the IDSM because you only have two interfaces (gig x/7 and gig x/8). These two interfaces have to be assigned access vlans (different than each other).
2) This is used for 'promiscuous mode' and not Inline mode.
3) Don't get your question, sorry.
Here is a brief difference between the two:
Regards
Farrukh
08-30-2008 01:49 PM
Ok. I would like to go for inline VLAN pair mode.
Questions:
1) So my first configuration would be at the switch i.e.
router# show run | include intrusion-detection
intrusion-detection module 13 management-port access-vlan 147
intrusion-detection module 13 data-port 1 trunk allowed-vlan 661,662
Please specify what do data ports refer to. Secondly, in my example I need to monitor the inside interface of FWSM i.e. VLAN2; so what would be the trunk allowed-vlan in my case.
2) On the IDSM, after 'service interface', howcome 'physical-interfaces ?' show GiEth0/0 thru 0/3. Isn't it true that IDSM has 8 internal port from which 7 & 8 are sensing ports. Why don't I see 7 & 8 on the physical interfaces.
3) So now, to monitor the inside FWSM, shall single physical interface on IDSM be sufficient
4) In the subinterface configuration,
sensor(config-int-phy)# subinterface-type inline-vlan-pair
sensor(config-int-phy-inl)# subinterface 1
sensor(config-int-phy-inl-sub)# vlan1 52
sensor(config-int-phy-inl-sub)# vlan2 53
What is vlan1 & vlan2. And what is 52, 53. And what is connection/relation between these pairs and the switch trunk allowed-vlan 661,662.
Please explain to assist me in putting all of these things together. I am not able to decipher what are all these pairing for to monitor the inside FWSM (as in my example.)
Thanks.
08-30-2008 06:27 PM
First of all this is an Inline Vlan Pair example:
1) access-vlan for the management port is obvious from the command syntax. The other two vlans should actually be VLAN 2 and then NEW VLAN you will create to bridge this new vlan. Call its VLAN 72. One will exist on the ports facing the servers etc. (says VLAN 72) and VLAN 2 will be a virtual interface on the FWSM. Both VLANS will be part of the *same* subnet.
Data ports gig x/7 and gig x/8 are the TWO sensing interfaces on the IDSM.
2) The IDSM has no physical interfaces, so don't worry about this too much.
3) Yes a single interface will be sufficient, once again its NOT a physical interface :). With inline VLAN pair you can monitor multiple VLANs of the same IDSM port, just need to allow them on the switch like you did VLANs 661 and 662. Then add another sub-interface on the IDSM interface for the two new VLANs.
4) Now these should be the SAME as you allowed on the trunk e.g 2 and 72. The sub-interface number can be anything.
Once you form the sub-interface pair you need to assign it to the virtual sensor.
Regards
Farrukh
08-31-2008 03:31 AM
Ok. Going by the given example it says
Specify an interface:
sensor(config-int)#physical-interfaces GigabitEthernet0/2
Add the interface to the virtual-sensor:
sensor(config-ana-vir)#physical-interface GigabitEthernet0/2
subinterface-number 1
whereas you stated to ignore physical interface. How can I understand the above.
In my scenario, the incoming traffic from the Router gets directed to the inside of FWSM. Hence, the traffic would be passing the FWSM inside VLAN i.e. VLAN2. What is the second VLAN I need to mention as pair as there are no servers connected to it. The router's ethernet, connected to VLAN2 on the ethernet module and hence on the same subnet as the FWSM inside.
08-31-2008 04:05 AM
By ignore I meant in the show command of the document, I'm pasting the show interface brief from a live IDSM-2 for you increased understanding:
AVD# show interfaces brief
CC Interface Sensing State Link Inline Mode Pair Status
* GigabitEthernet0/2 Disabled Up
GigabitEthernet0/7 Enabled Up Inline-vlan-pair N/A
GigabitEthernet0/8 Enabled Up Inline-vlan-pair N/A
If you need to introduce IDSM between the Router and FWSM, you need to change the VLAN either on the ROUTER or on the FWSM and let IDSM bride the two vlans. You have to change one!
Regards
Farrukh
08-31-2008 05:11 AM
Lets says the inside on FWSM is 10.0.0.1/24 (VLAN2). Now I should create another VLAN e.g. VLAN72 encompassing the router ethernet port 10.0.0.2/24 (Same subnet). If so then how will the traffic be routed between these two VLANs. Is it via bridged VLAN on IDSM for e.g.
sensor(config-int-phy)#subinterface-type inline-vlan-pair
sensor(config-int-phy-inl)#subinterface 1
sensor(config-int-phy-inl-sub)#vlan1 2
sensor(config-int-phy-inl-sub)#vlan2 72
Secondly, do I have to assign single physical-interface GigabitEthernet from the range 0-3.
I think I am getting close.
Thanks.
08-31-2008 06:32 AM
Yes the IDSM will BRIDGE the two vlans, there will be no ROUTING here as both VLANS will be in same subnet
You will assign the sub-inteface 1 you created to the vs0 (virtual sensor). For each new sub-inteface you add (to a physical interface) you need to go and that to the virtual sensor.
Just use the GUI, it will make it all very intuitive.
Regards
Farrukh
08-31-2008 05:38 PM
Farrukh,
In this scenario, will the traffic be inspected one-way only on the inside interface, or even the outgoing traffic.
How is the other option enabled.
Rgds.
08-31-2008 06:40 PM
You mean Router >> FW Inside and FW Inside >> Router, both ways? YES both will be inspected.
Regards
Farrukh
08-31-2008 07:59 PM
Ok. So how can I restrict it to one way only i.e. Router -> FW Inside.
Thanks.
08-31-2008 11:48 PM
To me knowledge you cannot, and WHY would you?
REgards
Farrukh
11-21-2008 11:02 AM
hi,
Going back to this topic, the requirement has changed. The traffic from FWSM Outside to Inside needs to be inspected. I already have assigned an interface on FWSM inside and connected the servers to it. Now which vlans should I bridge for this purose. Lets says vlan 2 is inside and vlan 3 is outside.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide