Solved: Re: IDSM EtherChannel Question - Page 2

jcrussell · ‎10-24-2008

In the config guide for the IDSM, it states:

To make sure that the same traffic is assigned to the two data ports on each IDSM-2, you must assign the

same EtherChannel index to both data ports on each of the IDSM-2s even though they are in different

EtherChannel groups.

Can anyone tell me how to change the EtherChannel index? I have successfully assigned the data ports to a port channel, but I cannot figure out how to change the EtherChannel index.

Farrukh Haroon · ‎11-04-2008

Technically the same source/dest pair should be served by the same IPS if the network has everything configured properly. It seems you have assymetric routing, can you post the output of:

show etherchannel load-balance

Regards

Farrukh

jcrussell · ‎11-04-2008

SW1 (the one that seems to be load balancing properly)

SW1#sh etherchannel load-balance

EtherChannel Load-Balancing Configuration:

src-dst-ip enhanced

mpls label-ip

EtherChannel Load-Balancing Addresses Used Per-Protocol:

Non-IP: Source XOR Destination MAC address

IPv4: Source XOR Destination IP address

IPv6: Source XOR Destination IP address

MPLS: Label or IP

SW2 (the one that seems to not be load balancing properly)

SW2#sh etherchannel load-balance

EtherChannel Load-Balancing Configuration:

src-dst-ip enhanced

mpls label-ip

EtherChannel Load-Balancing Addresses Used Per-Protocol:

Non-IP: Source XOR Destination MAC address

IPv4: Source XOR Destination IP address

IPv6: Source XOR Destination IP address

MPLS: Label or IP

Farrukh Haroon · ‎11-04-2008

What are you inline normalizer settings in the virtual sensor?

Regards

Farrukh

jcrussell · ‎11-04-2008

My Inline TCP Session Tracking Mode is Interface and VLAN.

My Normalizer Mode is Strict Evasion Protection.

You think the Normalizer should be in Asymmetric Mode Protection?

Farrukh Haroon · ‎11-04-2008

Yes that would be worth a try (At least to test if it does the trick).

Regards

Farrukh

jcrussell · ‎11-11-2008

Ok, way late update. Asymmetric mode works. I have a TAC case open, and they have moved it from the security team to the switching team, ad they think it is a load balancing issue, not an IDSM issue. :(

Farrukh Haroon · ‎11-13-2008

Ok thats great, keep us posted :)

Regards

Farrukh

jcrussell · ‎11-18-2008

Ok, another update. I have been working with TAC for a while now. I had 3 total TAC engineers on a WebEx session doing ELAM superman captures on the switch. We observed traffic from A to B selecting one interface in the EtherChannel, but traffic from B to A selects the other interface in the EtherChannel. So they are going to get together back there in RTP and work out a solution. In other words, I am still not inspecting traffic. :(

Farrukh Haroon · ‎11-18-2008

Thanks for the update. Must be something wrong with their EC hashing or spanning tree I guess.

Regards

Farrukh

jcrussell · ‎11-26-2008

Well, here's another update. It's a bug. :D

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsv98001

Farrukh Haroon · ‎11-26-2008

Thanks for the update.

Pretty cryptic description written by the TAC engineer tough.

Regards

Farrukh