04-28-2010 09:55 PM - edited 03-10-2019 04:58 AM
Is it possible to exclude traffic which be default goes to IDSM. I have following scenario:
LAN-->IDSM->FWSM-->Server VLAN
IDSM and FWSM are in one single chassis and all the traffic coming from LAN is captured and forwarded to IDSM before it hits FWSM. I need to exclude some traffic that should not get captured and gets forwarded to IDSM but should hit FWSM directly.
Following configuration exist currently:
vlan access-map idsm-map 10
match ip address idsm-acl
action forward captured
access-list ext idsm-acl
10 permit ip any any
I was thinking of doing following for exclusion:
vlan access-map idsm-map 10
match ip address idsm-acl
action forward captured
vlan access-map idsm-map 20
match ip address idsm-acl-1
action forward
access-list ext idsm-acl
1 deny any host 10.1.1.1
10 permit ip any any
access-list ext idsm-acl-1
10 permit ip any host 10.1.1.1
Will later configuration stop any traffic for destination 10.1.1.1 bypass IDSM or is there any other way aroud to achieve this on IDSM itself.
Later
Omair
04-30-2010 12:59 PM
Hi Omair,
I think you are going about this the correct way. You don't want to send traffic to the IDSM that is not intended to go through the IDSM. What you describes sounds good...you will just have to add "ip" to your access-list statement:
access-list ext idsm-acl
1 deny any host 10.1.1.1 --should be 1 deny ip any host 10.1.1.1
10 permit ip any any
The traffic to 10.1.1.1 will not match this clause and so it won't be captured but will match the next clause and be forwarded. Of course, your second access-list could have been "10 permit ip any any" and it would work since all that should make it to this clause is traffic to 10.1.1.1. Assuming everything else is correct in your configuration, it should work.
Regards,
RA
05-01-2010 02:03 AM
I little confuse from your reply as you didnt say anything about second vlan map, below is the final configs that I understand might be correct, please correct me if I am wrong
vlan access-map idsm-map 10
match ip address idsm-acl
action forward captured
vlan access-map idsm-map 20
match ip address idsm-acl-1
action forward
access-list ext idsm-acl
1 deny ip any host 10.1.1.1
10 permit ip any any
access-list ext idsm-acl-1
10 permit ip any host 10.1.1.1
05-03-2010 09:58 AM
Hi Omair,
Not sure, I understand. I did discuss the second map statement:
The traffic to 10.1.1.1 will not match this clause and so it won't be captured but will match the next clause and be forwarded. Of course, your second access-list could have been "10 permit ip any any" and it would work since all that should make it to this clause is traffic to 10.1.1.1. Assuming everything else is correct in your configuration, it should work.
I am referring to each vlan map statement as "clause". So, you did this right...the single host traffic won't match the first clause (vlan map) and will proceed to the next clause (vlan map statement). I don't see a problem with your configuration except, the missing "ip" in the access-list.
Does that make sense?
Regards,
RA
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide