cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1528
Views
5
Helpful
3
Replies

IDSM Traffic Exclusion

oqureshi
Level 1
Level 1

Is it possible to exclude traffic which be default goes to IDSM. I have following scenario:

LAN-->IDSM->FWSM-->Server VLAN

IDSM and FWSM are in one single chassis and all the traffic coming from LAN is captured and forwarded to IDSM before it hits FWSM. I need to exclude some traffic that should not get captured and gets forwarded to IDSM but should hit FWSM directly.

Following configuration exist currently:

vlan access-map idsm-map 10

match ip address idsm-acl

action forward captured

access-list ext idsm-acl

10 permit ip any any

I was thinking of doing following for exclusion:

vlan access-map idsm-map 10

match ip address idsm-acl

action forward captured

vlan access-map idsm-map 20

match ip address idsm-acl-1

action forward

access-list ext idsm-acl

1 deny any host 10.1.1.1

10 permit ip any any

access-list ext idsm-acl-1

10 permit ip any host 10.1.1.1

Will later configuration stop any traffic for destination 10.1.1.1 bypass IDSM or is there any other way aroud to achieve this on IDSM itself.

Later

Omair

3 Replies 3

Ronald Anthony
Level 1
Level 1

Hi Omair,

I think you are going about this the correct way.  You don't want to send traffic to the IDSM that is not intended to go through the IDSM.  What you describes sounds good...you will just have to add "ip" to your access-list statement:

access-list ext idsm-acl

1 deny any host 10.1.1.1  --should be 1 deny ip any host 10.1.1.1

10 permit ip any any

The traffic to 10.1.1.1 will not match this clause and so it won't be captured but will match the next clause and be forwarded.  Of course, your second access-list could have been "10 permit ip any any" and it would work since all that should make it to this clause is traffic to 10.1.1.1.  Assuming everything else is correct in your configuration, it should work.

Regards,

RA

I little confuse from your reply as you didnt say anything about second vlan map, below is the final configs that I understand might be correct, please correct me if I am wrong

vlan access-map idsm-map 10

match ip address idsm-acl

action forward captured

vlan access-map idsm-map 20

match ip address idsm-acl-1

action forward

access-list ext idsm-acl

1 deny ip any host 10.1.1.1

10 permit ip any any

access-list ext idsm-acl-1

10 permit ip any host 10.1.1.1

Hi Omair,

Not sure, I understand.  I did discuss the second map statement:

The traffic to 10.1.1.1 will not match this clause and so it won't be captured but will match the next clause and be forwarded.  Of course, your second access-list could have been "10 permit ip any any" and it would work since all that should make it to this clause is traffic to 10.1.1.1.  Assuming everything else is correct in your configuration, it should work.

I am referring to each vlan map statement as "clause".  So, you did this right...the single host traffic won't match the first clause (vlan map) and will proceed to the next clause (vlan map statement).  I don't see a problem with your configuration except, the missing "ip" in the access-list.

Does that make sense?

Regards,

RA

Review Cisco Networking for a $25 gift card