Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1414
Views
5
Helpful
3
Replies

IDSM Traffic Exclusion

oqureshi
Level 1
Level 1

‎04-28-2010 09:55 PM - edited ‎03-10-2019 04:58 AM

Is it possible to exclude traffic which be default goes to IDSM. I have following scenario:

LAN-->IDSM->FWSM-->Server VLAN

IDSM and FWSM are in one single chassis and all the traffic coming from LAN is captured and forwarded to IDSM before it hits FWSM. I need to exclude some traffic that should not get captured and gets forwarded to IDSM but should hit FWSM directly.

Following configuration exist currently:

vlan access-map idsm-map 10

match ip address idsm-acl

action forward captured

access-list ext idsm-acl

10 permit ip any any

I was thinking of doing following for exclusion:

vlan access-map idsm-map 10

match ip address idsm-acl

action forward captured

vlan access-map idsm-map 20

match ip address idsm-acl-1

action forward

access-list ext idsm-acl

1 deny any host 10.1.1.1

10 permit ip any any

access-list ext idsm-acl-1

10 permit ip any host 10.1.1.1

Will later configuration stop any traffic for destination 10.1.1.1 bypass IDSM or is there any other way aroud to achieve this on IDSM itself.

Later

Omair

Labels:
0 Helpful
3 Replies 3

Ronald Anthony
Level 1
Level 1

‎04-30-2010 12:59 PM

Hi Omair,

I think you are going about this the correct way.  You don't want to send traffic to the IDSM that is not intended to go through the IDSM.  What you describes sounds good...you will just have to add "ip" to your access-list statement:

access-list ext idsm-acl

1 deny any host 10.1.1.1  --should be 1 deny ip any host 10.1.1.1

10 permit ip any any

The traffic to 10.1.1.1 will not match this clause and so it won't be captured but will match the next clause and be forwarded.  Of course, your second access-list could have been "10 permit ip any any" and it would work since all that should make it to this clause is traffic to 10.1.1.1.  Assuming everything else is correct in your configuration, it should work.

Regards,

RA

0 Helpful

oqureshi
Level 1
Level 1
In response to Ronald Anthony

‎05-01-2010 02:03 AM

I little confuse from your reply as you didnt say anything about second vlan map, below is the final configs that I understand might be correct, please correct me if I am wrong

vlan access-map idsm-map 10

match ip address idsm-acl

action forward captured

vlan access-map idsm-map 20

match ip address idsm-acl-1

action forward

access-list ext idsm-acl

1 deny ip any host 10.1.1.1

10 permit ip any any

access-list ext idsm-acl-1

10 permit ip any host 10.1.1.1

0 Helpful

Ronald Anthony
Level 1
Level 1
In response to oqureshi

‎05-03-2010 09:58 AM

Hi Omair,

Not sure, I understand.  I did discuss the second map statement:

The traffic to 10.1.1.1 will not match this clause and so it won't be captured but will match the next clause and be forwarded.  Of course, your second access-list could have been "10 permit ip any any" and it would work since all that should make it to this clause is traffic to 10.1.1.1.  Assuming everything else is correct in your configuration, it should work.

I am referring to each vlan map statement as "clause".  So, you did this right...the single host traffic won't match the first clause (vlan map) and will proceed to the next clause (vlan map statement).  I don't see a problem with your configuration except, the missing "ip" in the access-list.

Does that make sense?

Regards,

RA

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card