08-30-2008 09:24 AM - edited 03-10-2019 04:16 AM
hi,
Three vlans have been assigned to the FWSM i.e. 2 (outside), 3 (DMZ) and 4 (inside).
Now, I would like to perform an inline interface mode monitoring on the traffic coming into FWSM inside interface.
As the FWSM inside interface is logical, how can I configure IDSM to monitor it.
Rgds
Solved! Go to Solution.
11-21-2008 10:33 PM
Well you have to create another vlan besides VLAN 3, say VLAN 33. Then bridge VLAN 33 and VLAN 3.
The FWSM outside inteface will remain in VLAN 3. The next hop device 'Outside' the FWSM will be in VLAN 33.
Regards
Farrukh
11-22-2008 03:23 AM
Since the servers on the outside of FWSM are on VLAN 3 I would'nt want to move them out to a different VLAN i.e. 33.
So isn't it possible to have all the servers connected to VLAN 3 i.e. FWSM outside as well and create a logical VLAN 33 and bridge it via IDSM. However, traffic won't pass VLAN 33 despite the bridge. Will the IDSM inspection work in this scenario.
Thanks
11-22-2008 03:27 AM
If you have servers 'outside' the FWSM. Just let all the servers be in the same VLAN. And change the VLAN SVI on FWSM from 3 to 33. This way you need to make only one change on the FWSM configuration. Then bridge that in the IDSM. Make sure you allow the correct VLANs on the FWSM internal etherchannel trunk tough (on the Host 6500 Series Switch).
Regards
Farrukh
11-22-2008 06:36 AM
I have included all the vlans in the trunk so it should be ok I believe.
Thanks.
11-22-2008 10:37 PM
You can do this for testing. However in production its a best-practice to only allow those VLANS on the IDSM/FWSM that are services by the modules. Allowing all trunks unnecessarily increases (broadcast) traffic on the modules, which already have limited throughput.
Regards
Farrukh
12-23-2008 10:24 AM
Farrukh,
In reference to your reply, could you please explain what do you mean by 'only allow those VLANS on the IDSM/FWSM that are services by the modules'. I didn't get this part. On the ethernet module, lets say there are 20 vlans. Shouldn't all those 20 vlans be allowed to pass the trunk between two Cat6500 switches.
Thanks.
12-23-2008 11:58 PM
That is meant to 'reduce' the flooding (Broadcast etc.) and better utilization of the modules throughput. If a particular VLAN is not meant to be filtered/scanned using IDSM/FWSM, filter it out from the trunk. This is true for any trunk.
Regards
Farrukh
12-24-2008 12:08 AM
Hi,
Please specify which trunk are you refering to here. Is it the trunk between the Cat 6500 switches. If so, then how can I segregate FWSM/IDSM vlans from the vlans trunked between Cat6500.
12-24-2008 12:28 AM
Internally the modules are trunked to the Cat6k switch. What vlans go to this trunk are controlled via the 'intrustion-detecion' command. This is the 'show interface trunk' output from a switch having IDSM modules in slots 5 and 6 (with intra-chassis redundancy):
Po5 on 802.1q trunking 1
Po6 on 802.1q trunking 1
.....
Port Vlans allowed on trunk
Po5 100-105
Po6 170,180
Regards
Farrukh
12-24-2008 02:15 AM
Do you mean a logical trunk on IDSM.
12-24-2008 02:28 AM
In my case, I have all the VLANs on the same trunk. But why do IDSM VLANs need to be trunked since IDSM failover is dependent on the FWSM failover. Hence IDSM can not be active on one switch while the FWSM is active on the other. Am I right ?
Is a configuration required for intra-chassis trunk.
12-24-2008 05:05 AM
Yes you are correct. The IDSM that is active is dependant on the FWSM's active status. For intra-chassis failover (requiring two or more IDSM-2 blades) you need to group the data ports of the different blades into ether channel groups. I can give you commands for that incase you need them.
When you use Inline VLAN Pair mode on the IDSM-2, the 'logical' interfaces connecting IDSM-2 to the core switch behave as trunks, to facilitate the multiple sub-interfaces (VLAN Pairs). These interfaces are Gig x/7 and Gig x/8. Where 'x' is the module number.
Regards
Farrukh
12-24-2008 07:58 AM
So if I had two IDSM in slot 6 & 7, would the following ports be part of the same trunk after necessary configuration is done.
Gig 6/7, Gid 6/8, Gig 7/7, Gig 7/8
Another query related to traffic scanned by IDSM. Within AIP-SSM there is a facility to select traffic via access-list. Is there anything similar in IDSM. I would like to inspect selected traffic (one-way only) via IDSM.
Regards
12-25-2008 12:06 AM
Gig 6/7 and 7/7 will part of the same etherchannel 'group' and ports 6/8 and 7/8 will be part of the another etherchannel 'group'.
The switch will use src-dst-ip based hashing to load balance between the two IDSM(s).
You can use the vlan capture method to send selective traffic in a similar way I guess.
But the IPS will no longer be 'inline' it will be in promiscuous mode.
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide