FWSM, VLANs and IDS

srowles · ‎02-22-2005

Hi

I asked this question in the LAN switching forum but got no reply.

It´s regarding what VLAN to place the IDSM in when using it in the same chassis as a FWSM (Both in a 6509).

I have all VLANs (except the one that is used to communicate with the MSFC) assigned to the firewall. I am therefore firewalling between all of my internal VLANs.

I need to assign the IDSM and the NAM to a VLAN. I am wondering if these should be placed on the inside of the FWSM in their own VLAN or if they should be placed outside in either the VLAN that is being used to communicate with the MSFC or in a completely separate VLAN on the outside of the FWSM.

I currently have both the IDSM and the NAM in their own VLAN which is assigned to the FWSM. This works but I had to do a bit of fudging witht the NAM by putting it in the same VLAN as the SVI on the MSFC first (so that it automatically learned the management address of the 6509) an then moved it to the VLAN on the firewall. This fudging makes me think that perhaps the NAM and the IDSM should not be assigned to a VLAN which is assigned to the firewall although I am perfectly able to capture traffic from all VLANs which are assigned to the firewall and I therefore assume that the IDSM will be able to monitor the VLANs which are assigned to the firewall.

Any comments would be appreciated.

Thanks.

smahbub · ‎02-28-2005

Try adding the command "intrusion-detection module 3 management-port access-vlan 804" to the catalyst config on the switch.

srowles · ‎03-01-2005

Hi and thanks for the reply. I have this configured in the correct VLAN. What I was unsure of was whether it mattered if the vlan mentioned in the above command is on the inside of the FWSM or the outside. It now appears however tha this does not matter.

Thanks for the help.