Solved: Traffic is not passing through IDSM-2 module in 6509

Shaikh Aman Uddin · ‎02-23-2011

Hi,

I have some similar type of issue while configuring the IDSM-2 in inline mode. My scenario is that I want to deploy IDSM-2 inline mode between two vlans (vlan 20 and vlan 30). when the traffic going from vlan 20 to vlan 30 and vice versa then i shold be pass thgough the IDSM-2. I have configured the device both (6500 and IDSM-2) module according to the cisco configuration guide but unfortunately it is not working. I am not getting any logs in the IDSM-2 even action configured on IDSM-2.

For your information and review, I am attaching all the config with IDM snapshots.

config on 6509 switch:

intrusion-detection module 1 management-port access-vlan 90

intrusion-detection module 1 data-port 1 access-vlan 20

intrusion-detection module 1 data-port 2 access-vlan 30

int vlan 20

ip add 10.20.1.1 255.255.255.0

int vlan 30

ip add 10.30.1.1 255.255.255.0

int vlan 90

ip add 10.90.1.1 255.255.255.0

Kindly advise.

thanks,

Aman

Roman Rodichev · ‎02-23-2011

IDSM is a bridging device

You have configured a different IP subnet on two layer 3 VLAN interfaces. You need to have the same IP subnet on both VLANs (inside IDSM and outside IDSM).

Normally, you will have one Layer 3 VLAN for the first VLAN, and the second VLAN will not have any Layer 3 VLAN interfaces, and that's where you put your servers. The traffic would flow as such:

Server 10.20.1.2 (default gateway 10.20.1.1) --- VLAN 30 --- IDSM --- VLAN 20 --- SVI VLAN 20 10.20.1.1

If you need to pass traffic through IDSM between two L3 SVIs, then you have to put L3 SVIs into two separate VRFs, and both SVIs must be in the same IP subnet.

View solution in original post

Roman Rodichev · ‎02-23-2011

I need to know what traffic you want to inspect. Are you inspecting traffic to/from a group of servers, what VLAN do these servers belong to? user to Internet traffic, what VLAN do the users belong to?

View solution in original post

Roman Rodichev · ‎02-23-2011

ok in this case, create new VLAN 21, remove VLAN 20 SVI and put the IP address on VLAN 21 SVI instead. Configure IDSM to bridge from VLAN 20 to VLAN 21. The servers will be in VLAN 20, no hosts will be in VLAN 21 (just SVI and one side of IDSM).

vlan 21

vlan 20

!

intrusion-detection module 1 management-port access-vlan 90

intrusion-detection module 1 data-port 1 access-vlan 20

intrusion-detection module 1 data-port 2 access-vlan 21

int vlan 21

ip add 10.20.1.1 255.255.255.0

and you are probably better of trunking through the IDSM, this way you can add more VLANs to inspect in the future. Also note that when you trunk through IDSM both VLANs must be on the same data port.

intrusion-detection module 1 data-port 1 trunk allowed-vlan 20

intrusion-detection module 1 data-port 1 trunk allowed-vlan 21

View solution in original post

Roman Rodichev · ‎02-23-2011

No. User VLANs don't need to touch IDSM. The traffic flow is:

User in VLAN 40 - VLAN 40 - VLAN 40 L3 SVI - VLAN 21 L3 SVI - VLAN 21 - IDSM - VLAN 20 - Server in VLAN 20

View solution in original post

Roman Rodichev · ‎02-24-2011

That's correct, you won't be using data port 2.

View solution in original post

Roman Rodichev · ‎02-23-2011

IDSM is a bridging device

You have configured a different IP subnet on two layer 3 VLAN interfaces. You need to have the same IP subnet on both VLANs (inside IDSM and outside IDSM).

Normally, you will have one Layer 3 VLAN for the first VLAN, and the second VLAN will not have any Layer 3 VLAN interfaces, and that's where you put your servers. The traffic would flow as such:

Server 10.20.1.2 (default gateway 10.20.1.1) --- VLAN 30 --- IDSM --- VLAN 20 --- SVI VLAN 20 10.20.1.1

If you need to pass traffic through IDSM between two L3 SVIs, then you have to put L3 SVIs into two separate VRFs, and both SVIs must be in the same IP subnet.

Shaikh Aman Uddin · ‎02-23-2011

Hi,

thanks for the prompt response, can you please write the config command that need to be done on 6500 switch, including intrusion-detection and SVI commands.

thanks,

Aman

Roman Rodichev · ‎02-23-2011

I need to know what traffic you want to inspect. Are you inspecting traffic to/from a group of servers, what VLAN do these servers belong to? user to Internet traffic, what VLAN do the users belong to?

Shaikh Aman Uddin · ‎02-23-2011

Hi,

Actually, I have a server farm vlan (vlan 20). I need this vlan will be inspect when the users from different vlans, for example (vlan 30,40,50) want to access these servers.

Thanks,

Aman

Roman Rodichev · ‎02-23-2011

ok in this case, create new VLAN 21, remove VLAN 20 SVI and put the IP address on VLAN 21 SVI instead. Configure IDSM to bridge from VLAN 20 to VLAN 21. The servers will be in VLAN 20, no hosts will be in VLAN 21 (just SVI and one side of IDSM).

vlan 21

vlan 20

!

intrusion-detection module 1 management-port access-vlan 90

intrusion-detection module 1 data-port 1 access-vlan 20

intrusion-detection module 1 data-port 2 access-vlan 21

int vlan 21

ip add 10.20.1.1 255.255.255.0

and you are probably better of trunking through the IDSM, this way you can add more VLANs to inspect in the future. Also note that when you trunk through IDSM both VLANs must be on the same data port.

intrusion-detection module 1 data-port 1 trunk allowed-vlan 20

intrusion-detection module 1 data-port 1 trunk allowed-vlan 21

Shaikh Aman Uddin · ‎02-23-2011

Hi,

Thanks a lot dear friend I got the answer !!!

Nice talking you. Can I contact you if i will get any issue during deployment?

I have noted your email address from your profile. Kindly confirm.

Thanks,

Aman

Roman Rodichev · ‎02-23-2011

that's fine, but you'll probably get an answer here on CSC faster

Shaikh Aman Uddin · ‎02-23-2011

Hi,

You mean to say that, if I have users in diff vlan (like, vlan 40,45 abd 50-60) to access the servers in vlan 20 so the config wil be:

intrusion-detection module 1 data-port 1 trunk allowed-vlan 20

intrusion-detection module 1 data-port 1 trunk allowed-vlan 21

intrusion-detection module 1 data-port 2 trunk allowed-vlan 40,45,50-60

thanks,

Aman

Roman Rodichev · ‎02-23-2011

No. User VLANs don't need to touch IDSM. The traffic flow is:

User in VLAN 40 - VLAN 40 - VLAN 40 L3 SVI - VLAN 21 L3 SVI - VLAN 21 - IDSM - VLAN 20 - Server in VLAN 20

Shaikh Aman Uddin · ‎02-23-2011

its mean that the config will remain same, like:

intrusion-detection module 1 data-port 1 trunk allowed-vlan 20

intrusion-detection module 1 data-port 1 trunk allowed-vlan 21

I will not configure data-port 2 for any purpose. Am I rite?

Thanks,

Aman

Roman Rodichev · ‎02-24-2011

That's correct, you won't be using data port 2.

Shaikh Aman Uddin · ‎03-29-2011

Hi Roman,

Thanks for your all responses !!!

I have one more query with you now,

I have only one Layer 3 switch in which Hosts and server are connected. Now I want to connect IPS applicance 4200 series in one port of switch and want to configure inline vlan pair mode.

Case # 01:

If both Hosts and servers are in the same ip subnet.

Case # 02

If Hosts and Server are in the diff subnets

Kindly advise the connectivity and config that how can I achieve these targets?

Thanks,

Aman