I am trying to setup a new vlan pair on a IDSM-2 module but when i add some rules to intentionally block traffic to test the flow of traffic it isn't blocking traffic as expected.
I have a server that lives in VLAN 20 and I've configured VLAN21 on the FWSM and it's interface address is the default gateway for the server in VLAN 20. I've setup a VLAN pair on the IDSM-2 module to bridge these VLANs.
The 6500 has the uplinks to our ISP and routes are on the msfc to send traffic to the fwsm. As i see it, traffic flows in to the msfc, routed to fwsm where it lands on interface VLAN 21 and screened then if permitted the fwsm will arp for the server in VLAN 20 IP which will go back up the FWSM->MSFC trunk and over the bridged IPS pair to VLAN 20 and on to the servers port.
so flow of traffic is Internet-->msfc-->fwsm-->msfc-->ips-->msfc-->server.
Based on this config, traffic does appear to flow via the IPS ok. If I setup a continuous ping and remove the vlan pair then traffic to the servers is broken, and if i enable IP Logging i can see the ICMP traffic being logged. But if i add a ‘host block’ or ‘denied attacker’ entry, i can see the traffic count interment in IME but the traffic isn't blocked. Same thing with the polices, if i enable the ICMP echo reply/request rule and set it to block the connection.. it still doesnt block the traffic.
Based on this setup can anyone see a reason why traffic that appears to be flowing through the IDSM isn't being blocked by any of the rules?
Yes i tried the 2004 ICMP Reply and the ICMP Request as well as creating me own Sig which just blocked all ICMP. I changed the prioty to HIGH so it showed up in the logs more clear and i set various actions in an attempt to make it block but again while it showed up in the log as HIGH priority and signature 2004 it didn't actually block the traffic. I tried the same for HTTP traffic with a custom sig that blocked TCP port 80 to no avail.
I originally did have data port 1 working in promiscous mode with a few vlans getting sent to the IDSM but i've stripped all config on the 6500 to the management vlan and to trunk vlan 20 and 21.
intrusion-detection module 4 data-port 2 trunk allowed-vlan 20,21
So i'm still scratching my head as to why it looks like it’s passing traffic and identifying traffic according to rules/signatures but failing to block traffic inline. I found this link https://cisco-support.hosted.jivesoftware.com/docs/DOC-12206 which suggests it’s all setup fine so i'm not sure what i'm doing wrong.
I don't have any block/routers setup in the IDSM config to enable the MSFC/fwsm to add a ACL/shun for traffic but i thought the IDSM should still be able to block traffic inline on its own.
Do you have any event action filters configured on the IDSM? Please attach the output of show config from the sensor after getting rid of all the sensitive information.