IDSM-2 inline between multible VLAN

mohamed.magdy · ‎01-17-2011

Hi,

I have a coreswitch 6509 which is include IDSM-2 actully the core switch handle the traffice between the usres VLANs and the server Vlan (vlan 11)

The users Vlan are (Vlan 2 , 3, 4, 5, 6 and 7). I need to configure the core switch and IDSM to be inline between the Users VLANs and the Server farm Vlan to inspect the traffic comming from the useres.

as my understanding I can use the ISDM inline mode between multible Vlan but unfortunattly my test to drop the ICMP request to server is faild.

Kindly advice if that available or it should be only in promisecouse mode.

also if there any sample of succesfully configuration.

my configuration is as below:

Core-SW-RYD#sh run | in intr
intrusion-detection module 9 data-port 1 trunk allowed-vlan 2-7,11
intrusion-detection module 9 data-port 2 trunk allowed-vlan 2-7,11
intrusion-detection module 9 data-port 1 autostate include
intrusion-detection module 9 data-port 2 autostate include
intrusion-detection module 9 data-port 1 portfast 1
intrusion-detection module 9 data-port 2 portfast 1

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi9/2, Gi9/3, Gi9/4, Gi9/5, Gi9/6
2    Food-D-VLAN                      active
3    Comm-D-VLAN                      active
4    Emar-D-VLAN                      active
5    Finance-D-VLAN                   active
6    Glucose-D-VLAN                   active
7    IT-D-VLAN                        active    Gi1/3
11   servers-Vlan                     active    Gi1/2, Gi1/4, Gi1/5, Gi1/6, Gi1/7, Gi1/8, Gi1/9, Gi1/10, Gi1/12, Gi1/13
                                                Gi1/14, Gi1/15, Gi1/16, Gi1/17, Gi1/18, Gi1/19, Gi1/20, Gi1/21, Gi1/22
                                                Gi1/23, Gi1/24, Gi1/25, Gi1/26, Gi1/27, Gi1/28, Gi1/29, Gi1/31, Gi1/32
                                                Gi1/33, Gi1/34, Gi1/35, Gi1/36, Gi1/37, Gi1/38, Gi1/39, Gi1/41, Gi1/42
                                                Gi1/43, Gi1/44, Gi1/45, Gi1/46, Gi1/47, Gi1/48, Gi2/10, Gi2/11, Gi2/12
                                                Gi2/13, Gi2/15, Gi2/16, Gi2/18, Gi2/19, Gi2/20, Gi2/21, Gi2/22, Gi2/23
                                                Gi2/24, Gi3/1, Gi3/2, Gi3/3, Gi3/4, Gi3/5, Gi3/6, Gi3/7, Gi3/8, Gi3/9, Gi3/10
                                                Gi3/11, Gi3/12, Gi3/13, Gi3/14, Gi3/15, Gi3/16, Gi3/17, Gi3/18, Gi3/19
                                                Gi3/20, Gi3/21, Gi3/22, Gi3/23, Gi3/24

your support will be highly appreciated.

Best Regards,

Magdy

fadlouni · ‎01-20-2011

Hi Mohamed.

with inline mode, you can only bridge vlans in pairs uniquely!. so you can only bridge vlan 11 to another single vlan. and remember since they are bridged, that means the 2 vlans need to have the same ip subnet.

but looking at your requirements, i'm guess the different vlans are on different ip subnet ranges.

In that case, you'll need to do promiscuous mode.

However in promiscuous mode, you can only do acl blocking. and first packet will pass successfully but will trigger the sensor to configure the router to create an acl, and further packets will be dropped.

However if you redesign a bit you can use promiscuous mode. for example create a new layer 2 vlan (let's say 14), move the servers to this vlan.

You only need to trunk vlan11 and vlan14 to the idsm module, then create a single vlan-pair on the IPS which bridges vlan11 and vlan 14. then configure the signature to drop packets inline. SInce now for the clients who need to contact the servers need to pass traffic to vlan11, and the idsm is in the middle between vlan 11 and 14, then it should drop pings to the servers.

Regards,

Fadi.