cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

992
Views
0
Helpful
4
Replies
scottmcgillivray
Beginner

IDSM-2 not blocking traffic traffic when using inline vlan pair

Hi,

I am trying to setup a new vlan pair on a IDSM-2 module but when i add some rules to intentionally block traffic to test the flow of traffic it isn't blocking traffic as expected.

I have a server that lives in VLAN 20 and I've configured VLAN21 on the FWSM and it's interface address is the default gateway for the server in VLAN 20. I've setup a VLAN pair on the IDSM-2 module to bridge these VLANs.

The 6500 has the uplinks to our ISP and routes are on the msfc to send traffic to the fwsm. As i see it, traffic flows in to the msfc, routed to fwsm where it lands on interface VLAN 21 and screened then if permitted the fwsm will arp for the server in VLAN 20 IP which will go back up the FWSM->MSFC trunk and over the bridged IPS pair to VLAN 20 and on to the servers port.

so flow of traffic is Internet-->msfc-->fwsm-->msfc-->ips-->msfc-->server.

Based on this config, traffic does appear to flow via the IPS ok. If I setup a continuous ping and remove the vlan pair then traffic to the servers is broken, and if i enable IP Logging i can see the ICMP traffic being logged. But if i add a ‘host block’ or ‘denied attacker’ entry, i can see the traffic count interment in IME but the traffic isn't blocked. Same thing with the polices, if i enable the ICMP echo reply/request rule and set it to block the connection.. it still doesnt block the traffic.

Based on this setup can anyone see a reason why traffic that appears to be flowing through the IDSM isn't being blocked by any of the rules?

thanks

Scott

4 REPLIES 4
rhermes
Rising star

You didn;t mention what signatures you're using to test droppping. Have you tried 2004 ICMP Reply yet?

- Bob

Hi Bob,

Yes i tried the 2004 ICMP Reply and the ICMP Request as well as creating me own Sig which just blocked all ICMP. I changed the prioty to HIGH so it showed up in the logs more clear and i set various actions in an attempt to make it block but again while it showed up in the log as HIGH priority and signature 2004 it didn't actually block the traffic. I tried the same for HTTP traffic with a custom sig that blocked TCP port 80 to no avail.

I originally did have data port 1 working in promiscous mode with a few vlans getting sent to the IDSM but i've stripped all config on the 6500 to the management vlan and to trunk vlan 20 and 21.

intrusion-detection module 4 data-port 2 trunk  allowed-vlan 20,21

So i'm still scratching my head as to why it looks like it’s passing traffic and identifying traffic according to rules/signatures but failing to block traffic inline. I found this  link https://cisco-support.hosted.jivesoftware.com/docs/DOC-12206 which suggests it’s all setup fine so i'm not sure what i'm doing wrong.

I don't have any block/routers setup in the IDSM config to enable the MSFC/fwsm to add a ACL/shun for traffic but i thought the IDSM should still be able to block traffic inline on its own.

thanks

Scott

Hi Scott,

Do you have any event action filters configured on the IDSM? Please attach the output of show config from the sensor after getting rid of all the sensitive information.

Regards,

Prapanch

haivrajesh
Beginner


Hi,

First create the interface fair(inline) then

Assign the Inline pair inline to the Virtual Sensor vs0

now check it will work.

Rajeswar