IDSM-2 inline between multible VLAN
Hi,
I have a coreswitch 6509 which is include IDSM-2 actully the core switch handle the traffice between the usres VLANs and the server Vlan (vlan 11)
The users Vlan are (Vlan 2 , 3, 4, 5, 6 and 7). I need to configure the core switch and IDSM to be inline between the Users VLANs and the Server farm Vlan to inspect the traffic comming from the useres.
as my understanding I can use the ISDM inline mode between multible Vlan but unfortunattly my test to drop the ICMP request to server is faild.
Kindly advice if that available or it should be only in promisecouse mode.
also if there any sample of succesfully configuration.
my configuration is as below:
Core-SW-RYD#sh run | in intr
intrusion-detection module 9 data-port 1 trunk allowed-vlan 2-7,11
intrusion-detection module 9 data-port 2 trunk allowed-vlan 2-7,11
intrusion-detection module 9 data-port 1 autostate include
intrusion-detection module 9 data-port 2 autostate include
intrusion-detection module 9 data-port 1 portfast 1
intrusion-detection module 9 data-port 2 portfast 1
VLAN Name Status Ports
1 default active Gi9/2, Gi9/3, Gi9/4, Gi9/5, Gi9/6
2 Food-D-VLAN active
3 Comm-D-VLAN active
4 Emar-D-VLAN active
5 Finance-D-VLAN active
6 Glucose-D-VLAN active
7 IT-D-VLAN active Gi1/3
11 servers-Vlan active Gi1/2, Gi1/4, Gi1/5, Gi1/6, Gi1/7, Gi1/8, Gi1/9, Gi1/10, Gi1/12, Gi1/13
Gi1/14, Gi1/15, Gi1/16, Gi1/17, Gi1/18, Gi1/19, Gi1/20, Gi1/21, Gi1/22
Gi1/23, Gi1/24, Gi1/25, Gi1/26, Gi1/27, Gi1/28, Gi1/29, Gi1/31, Gi1/32
Gi1/33, Gi1/34, Gi1/35, Gi1/36, Gi1/37, Gi1/38, Gi1/39, Gi1/41, Gi1/42
Gi1/43, Gi1/44, Gi1/45, Gi1/46, Gi1/47, Gi1/48, Gi2/10, Gi2/11, Gi2/12
Gi2/13, Gi2/15, Gi2/16, Gi2/18, Gi2/19, Gi2/20, Gi2/21, Gi2/22, Gi2/23
Gi2/24, Gi3/1, Gi3/2, Gi3/3, Gi3/4, Gi3/5, Gi3/6, Gi3/7, Gi3/8, Gi3/9, Gi3/10
Gi3/11, Gi3/12, Gi3/13, Gi3/14, Gi3/15, Gi3/16, Gi3/17, Gi3/18, Gi3/19
Gi3/20, Gi3/21, Gi3/22, Gi3/23, Gi3/24
your support will be highly appreciated.
Best Regards,
Magdy
Hi Mohamed.
with inline mode, you can only bridge vlans in pairs uniquely!. so you can only bridge vlan 11 to another single vlan. and remember since they are bridged, that means the 2 vlans need to have the same ip subnet.
but looking at your requirements, i'm guess the different vlans are on different ip subnet ranges.
In that case, you'll need to do promiscuous mode.
However in promiscuous mode, you can only do acl blocking. and first packet will pass successfully but will trigger the sensor to configure the router to create an acl, and further packets will be dropped.
However if you redesign a bit you can use promiscuous mode. for example create a new layer 2 vlan (let's say 14), move the servers to this vlan.
You only need to trunk vlan11 and vlan14 to the idsm module, then create a single vlan-pair on the IPS which bridges vlan11 and vlan 14. then configure the signature to drop packets inline. SInce now for the clients who need to contact the servers need to pass traffic to vlan11, and the idsm is in the middle between vlan 11 and 14, then it should drop pings to the servers.
Regards,
Fadi.
Similar Messages
-
My customer has voice, video and data VLAN's. Customer wants to inspect only inter VLAN traffic ONLY for data to be inspected by IDSM-2 inline while bypassing other VLAN traffic to FWSM and then to WAN.
Is that possible with Inline VLAN pair mode?
I read the cisco document which states as below
"You can configure IDSM-2 to simultaneously bridge up to 255 VLAN pairs on each data port. IDSM-2 replaces the VLAN ID field in the 802.1q header of each packet with the ID of the VLAN on which the packet is forwarded. It drops any packets received on VLANs that are not assigned to an inline VLAN pair."
The last statement says it will drop all other vlan traffic which are not assigned to any inline vlan pair?
Regards
VinodYou can bypass analysis engine when inline bypass is activated , allowing traffic to flow through the inline interfaces and inline VLAN pairs without inspection. Inline bypass ensures that packets continue to flow through the sensor when the sensor processes are temporarily stopped for upgrades or when the sensor monitoring processes fail. But not always.
-
Idsm 2- Inline Mode Deployment
I would like to configure an IDSM-2 in inline mode, I am having trouble about the deployment, I have a couple of questions;
1. If you configure 2 VLANs (existing) as VLAN pairs does this mean the exist connection between the 2 VLANs is broken?
ie they can only communicate to each other via IPS.
2. Where is the best place to deploy this type of IPS?In an inline VLAN-pair scenario, the IDSM2 will bridge the VLANs together using VLAN tag swapping. Below is a quick topo sketch of an inline design where this might be used.
6500 MSFC--VL10--(inside) FWSM (outside)--VLAN 11--IDSM--VLAN 111--RTR--INTERNET
In the example above, the FWSM outside and RTR inside interfaces sit on the same Layer 3 subnet but different Layer 2 VLANs. The IDSM is positioned inline using an inline VLAN-pair. Traffic leaving the FWSM towards the Internet will go into the trunk to the IDSM on VLAN 11. The IDSM will then swap the VLAN tag to 111 before fowarding the packet down the trunk. This process allows the traffic to be influenced into the IDSM for inspection.
http://www.cisco.com/en/US/customer/docs/security/ips/7.0/configuration/guide/cli/cli_interfaces.html#wp1047718 -
Communication between 2 vlans on firewall.
communication between 2 vlans.
i have 2 vlans
Vlan 100
ip add 1.1.1.1
Vlan 200
ip add 2.2.2.2
i want to make communication between 2 vlans on firewall 5520 ASA 8.2.
Please provide configuration for same.You need to follow this guide the configuration which you have pasted has got nothing but the IP. Other parameters are also required to configure ASA firewall.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html
Thanks
Ajay -
Whats difference between native vlan and pvid
whats difference between native vlan and pvid ?
Hi,
a port VLAN ID is the assigned VLAN of an access-port.
The native VLAN is used in a trunk. A trunk is used to connect another switch or a device which belongs to more than 1 VLAN. Since a standard ethernet frame doesn't provide a field to distinguish VLANs, a special field is inserted, this is called "tagging". Nevertheless, frames belonging to the native VLAN are transmitted without such a tag (in other words: the ethernet frames are not modified). In this way, traffic forwaring is possible in the native VLAN even when the trunk is not working correctly.
In theory, when you would connect a trunkport from one switch to an accessport of another, communication for the native VLAN would be possible. In such a scenario, the native VLAN-ID doesn't have to match the PVID. Hope, this isn't to confusing.
You can find more details in discussion https://learningnetwork.cisco.com/thread/8721#39225
Regards,
Rolf -
IDSM-2 inline vlan pair mode configs
Dear all,
1. Is it possible to associate 2 vlans( to be paired) on 2 different data ports on IDSM instead of pairing it on single data port on IDSM ?? & configuring these 2 ports on CAT6509 as access ports instead of trunk... Will this thing work ?
2. Since bypass mode is ON by default(AUTO) in IDSM-2 in-line vlan pair mode but when I am testing the bypass its not happening..can any pls. guide what could be the reason for this ?
Regards,
AkhtarYou can bypass analysis engine when inline bypass is activated , allowing traffic to flow through the inline interfaces and inline VLAN pairs without inspection. Inline bypass ensures that packets continue to flow through the sensor when the sensor processes are temporarily stopped for upgrades or when the sensor monitoring processes fail. But not always.
-
IDSM-2 Inline Vlan Pair - Duplicate Packets
Dear All
We have a setup where two IDSM-2 modules are ether-channeled together in a single 6513 Chassis.
There is an FWSM module also, which acts as the default gateway for all internal VLANs.
Problem: IDSM show stat virtual-sensor command is showing tons of 'Duplicate Packets'
show statistics virtual-sensor | inc Duplic
Duplicate Packets = 2950967
Inline TCP Tracking Mode: Interface and VLAN
Topology:
Assume Client VLAN = 10 and Server VLAN = 60
IPS Inline VLAN Pairs:
10 >> 110 (Client VLAN)
60 >> 160 (Server VLAN)
Client >> Server Flow: (Layer 2):
[ClientPC] >>>> Access Switch (VLAN 10) >>>> Core SW >>>> IDSM-2 (VLAN 10--110 Pair) >>>> Core Sw >>>> FWSM VLAN 110 >>>>
FWSM VLAN 160 >>>> Core Sw >>>> IDSM-2 (VLAN 160--60 Pair) >>>> Server Switch (VLAN 60) >>>> [Server]
Core Switch IPS Etherchannel Setup:
Group 5: IDSM(A) and IDSM(B) Port x/7
Group 6: IDSM(A) and IDSM(B) Port x/8
Some VLAN Pair(s) are on interface x/7 and others are on x/8
Because of the above issue, we see a lot of TCP normalization signatures being fired (as the IPS gets confused with duplicate packets seen for the same flow). Specially signatures 1330:12 :17 and :18.
It is also causing some applications to break (e.g. Veritas Netbackup 6.5). When I removed the DENY action from these signatures, our IPS started having stability issues (This could also be due to E3 upgrade)
Should we change the Tracking mode to 'VLAN' only, OR any other possible solution?. Should not the 'interface and vlan' setting be sufficient?.
Regards
FarrukhThis will take some traffic analysis to determine what is going wrong.
You might need to place a sniffer to watch the traffic on the client where the backup software is running at the same time that you capture the traffic on the sensor.
Look to see if there are any differences in the traffic.
Look for any anomalies in the traffic.
Look to see if maybe the backup software is not using a standard TCP connection (is it jumping the tcp sequence numbers in any abnormal way?)
You might also try some things on the sensor to determine if the sensor itself might have an issue.
Determine if the connction passes through 2 connections (inline vlan pairs) monitored by the sensor.
If you can, you might try removing both of the pairs from the virtual sensor. (don't delete the pairs, just remove them from the virtual sensor so they won't be analyzed)
And see if the backup works.
If it does then just add in one pair, and see if it keeps working.
If it has errors with just the one pair, then the problem is likely not because of the connection being monitored twice.
Something else must be weird about the connection.
If the problems are only seen when having both pairs in the same virtual sensor, then try placing the pairs in different virtual sensors and see if the problem goes away.
If the problem goes away when in different virtual sensors, then there may be an error in the inline tcp session tracking code that should track connections separately for each interface/vlan. -
6509 - IDSM-2 inline vlan pair mode at layer 3
I am a little green, so be nice.
wondering how to get an IDSM-2 module inline on a 6509. my issue is that the traffic comes into the 6509 at layer3 (routed) so I'm not sure how the config works. (e.g. do I use a trunk, or do I have to add a in a hop somehow)
6509 conf snippet:
intrusion-detection module 7 data-port 1 trunk allowed-vlan 3127,3128
vlan 3127
name FIREWALL-IPS
vlan 3128
name FIREWALL
interface Port-channel2
description CAB2
ip address 10.30.2.2 255.255.255.0
ip helper-address 10.10.20.11
ip helper-address 10.10.20.13
ip helper-address 10.30.123.11
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
glbp 2 ip 10.30.2.1
glbp 2 timers msec 250 msec 750
glbp 2 priority 120
glbp 2 preempt delay minimum 60
glbp 2 load-balancing weighted
glbp 2 weighting track 89 decrement 50
glbp 2 weighting track 99 decrement 50
glbp 2 forwarder preempt delay minimum 60
interface GigabitEthernet1/9
description FIREWALL
switchport
switchport access vlan 3128
switchport mode access
no ip address
interface GigabitEthernet8/9
description CAB2SW1-Gi1/0/49
no ip address
channel-group 2 mode on
interface GigabitEthernet9/9
description CAB2SW1-Gi1/0/50
no ip address
channel-group 2 mode on
interface Vlan3128
description FIREWALL
ip address 10.30.128.2 255.255.255.0
no ip redirects
no ip unreachables
ip flow ingress
no ip igmp snooping
glbp 128 ip 10.30.128.1
glbp 128 timers msec 250 msec 750
glbp 128 priority 120
glbp 128 preempt delay minimum 60
glbp 128 load-balancing weighted
glbp 128 forwarder preempt delay minimum 60
IDSM-2 conf snippet:
service interface
physical-interfaces GigabitEthernet0/7
description data-port 1
subinterface-type inline-vlan-pair
subinterface 1
description FIREWALL VLAN3127<->VLAN3128
vlan1 3127
vlan2 3128A colleague of mine explained how to do this and it mostly makes sense. My only confusion is that once you remove the access vlan (3128) from the interface that gets monitored and replace it with 3127, how does traffic still traverse the 3128 vlan? What is the mechanism that controls this, is it the command "intrusion-detection module 7 data-port 1 trunk allowed-vlan 3127,3128" ??
-
Hybrid 6500 IDSM-2 inline vlan pair mode
I am having a problem understanding how a packet is going to know that it needs to get evaluated by the IDSM if it is being sent to a host on a different vlan. First lets say that the server is on a vlan that is being pair and the server host is configured with the GW address of the paired vlan. So if a different host on a different vlan sent a packet to that server how does the MSFC know to sent the packet to the paried vlan to get routed to the servers vlan instead of routing it directly to the servers vlan that is attached to it(msfc). FYI. I followed the admin guides to set this up and it does not cover design or operation packet flows.
Cisco CatOS on the Cisco Catalyst 6500 Series with optional Cisco IOS Software on the Multilayer Switching Feature Card (MSFC) provides Layer 2/3/4 functionality for the Cisco Catalyst 6500 by integrating two operating systems. A switch running CatOS only on the Supervisor Engine is a Layer 2 forwarding device with Layer 2/3/4 functionality for QoS, security, multicast, and network management of the Policy Feature Card (PFC), but does not have any routing capabilities. Layer 3 routing functionality is provided via a Cisco IOS Software image on the MSFC routing engine (optional in Supervisor 1A and 2, and integrated within Supervisor 32 and 720.) In this paper, the combination of CatOS on the Supervisor Engine and Cisco IOS Software on the MSFC is referred to as the "hybrid" OS; two operating systems work together to provide complete Layer 2/3/4 system functionality.
-
IDSM-2 Inline VLAN configuration issue
The SVR is on VL60, the PC is on VL80.
So, PC(.25--VL81--GE0/7--VL80--SVI 80--SVI60--VL60--SVR(.10)
Sensor interface GigabitEthernet0/7 is assigned to trunk all Vlans 1-4094
CAT65K-PODX#sh ru | in intrusion
intrusion-detection module 6 management-port access-vlan 99 intrusion-detection module 6 data-port 1 trunk allowed-vlan 1-4094 CAT65K-PODX#
The interface is assigned to vs0.
All I am seeing is "unknown 802.1d" when I look at the interface instead of the continuous ping I have from the PC to the SVR. (80.25 to 60.10)
CAT65K-PODX#ses sl 6 pr 1
The default escape character is Ctrl-^, then x.
You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.61 ... Open
login: cisco
Password:
Last login: Mon Oct 23 18:16:06 from 127.0.0.51
***NOTICE***
This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to [email protected].
***LICENSE NOTICE***
There is no license key installed on the system.
The system will continue to operate with the currently installed signature set. A valid license must be obtained in order to apply signature updates. Please go to http://www.cisco.com/go/license to obtain a new license or install a license.
IDSM2-PODX# pack disp gi
gigabitEthernet0/2 gigabitEthernet0/7 gigabitEthernet0/8 IDSM2-PODX# pack disp gigabitEthernet0/7
Warning: This command will cause significant performance degradation
tcpdump: WARNING: ge0_7: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ge0_7, link-type EN10MB (Ethernet), capture size 65535 bytes
18:35:17.968178 802.1d unknown version
0x0000: 0180 c200 0000 0016 9dab 3346 8100 e001 ..........3F....
0x0010: 0079 4242 0300 0003 027c 1000 000f f863 .yBB.....|.....c
0x0020: 8400 0000 0000 1000 000f f863 8400 8287 ...........c....
0x0030: 0000 1400 0200 0f00 0000 5000 6369 7363 ..........P.cisc
0x0040: 6f00 0000 0000 0000 0000 0000 0000 0000 o...............
0x0050: 0000 0000 0000 0000 0000 0000 0001 46b6 ..............F.
0x0060: c0ce 9a01 9392 94e2 dcc9 ca1b 3291 0000 ............2...
0x0070: 0000 1000 000f f863 8400 147c 80 .......c...|.
18:35:19.968666 802.1d unknown version
0x0000: 0180 c200 0000 0016 9dab 3346 8100 e001 ..........3F....
0x0010: 0079 4242 0300 0003 027c 1000 000f f863 .yBB.....|.....c
0x0020: 8400 0000 0000 1000 000f f863 8400 8287 ...........c....
0x0030: 0000 1400 0200 0f00 0000 5000 6369 7363 ..........P.cisc
0x0040: 6f00 0000 0000 0000 0000 0000 0000 0000 o...............
0x0050: 0000 0000 0000 0000 0000 0000 0001 46b6 ..............F.
0x0060: c0ce 9a01 9392 94e2 dcc9 ca1b 3291 0000 ............2...
0x0070: 0000 1000 000f f863 8400 147c 80 .......c...|.
2 packets captured
2 packets received by filter
0 packets dropped by kernel
IDSM2-PODX#exit
signatures 60000 0
alert-severity medium
sig-fidelity-rating 75
sig-description
sig-name BadICMP
sig-string-info BadICMP
sig-comment BadICMP
exit
engine atomic-ip
event-action produce-alert|log-attacker-packets
specify-l4-protocol yes
l4-protocol icmp
specify-icmp-code yes
icmp-code 8
exit
exit
exit
specify-ip-addr-options yes
ip-addr-options ip-addr
specify-src-ip-addr yes
src-ip-addr 10.1.80.25
exit
exit
exit
exit
exit
signatures 60001 0
alert-severity high
sig-fidelity-rating 75
sig-description
sig-name Block BadICMP
sig-string-info Block BadICMP
sig-comment Block BadICMP
exit
engine atomic-ip
event-action produce-alert|request-block-host
specify-l4-protocol yes
l4-protocol icmp
specify-icmp-seq no
specify-icmp-type no
specify-icmp-code yes
icmp-code 0
exit
specify-icmp-id no
specify-icmp-total-length no
exit
specify-payload-inspection no
exit
specify-ip-payload-length no
specify-ip-header-length no
specify-ip-tos no
specify-ip-ttl no
specify-ip-version no
specify-ip-id no
specify-ip-total-length no
specify-ip-option-inspection no
specify-ip-addr-options yes
ip-addr-options ip-addr
specify-src-ip-addr yes
src-ip-addr 10.1.80.25
exit
specify-dst-ip-addr no
exit
exit
exit
event-counter
specify-alert-interval no
exit
alert-frequency
summary-mode summarize
specify-global-summary-threshold no
exit
exit
status
enabled false
exit
exit
signatures 60002 0
alert-severity high
sig-fidelity-rating 75
sig-description
sig-name WatchHTTP
sig-string-info WatchHTTP
sig-comment WatchHTTP
exit
engine service-http
service-ports 80,443
exit
status
enabled false
exit
exit
signatures 60003 0
alert-severity high
sig-fidelity-rating 75
sig-description
sig-name LogICMP
sig-string-info BadICMP
sig-comment BadICMP
exit
engine atomic-ip
event-action produce-alert|log-pair-packets
specify-l4-protocol yes
l4-protocol icmp
specify-icmp-seq no
specify-icmp-type no
specify-icmp-code no
specify-icmp-id no
specify-icmp-total-length no
exit
specify-payload-inspection no
exit
specify-ip-payload-length no
specify-ip-header-length no
specify-ip-tos no
specify-ip-ttl no
specify-ip-version no
specify-ip-id no
specify-ip-total-length no
specify-ip-option-inspection no
specify-ip-addr-options yes
ip-addr-options ip-addr
specify-src-ip-addr yes
src-ip-addr 10.1.80.25
exit
specify-dst-ip-addr no
exit
exit
exit
event-counter
specify-alert-interval no
exit
alert-frequency
summary-mode summarize
specify-global-summary-threshold no
exit
exit
status
enabled false
exit
exit
exit
service ssh-known-hosts
rsa1-keys 10.1.80.1
length 512
exponent 65537
modulus 991855327191948068336083262027767630211536570646048046207473086001594287
45731517042852081906588402062478059658578012089704942074191546123977278518597538
73
exit
exit
service trusted-certificates
exit
service web-server
port 443
exit
IDSM2-PODX# -
Hi,
I am working with the IDSM-2, We have Cisco 6509 with CSM & FWSM, We are planning IDSM-2 in Inline mode and now i want to monitor the traffic which is coming through Outside Interface of the FW context ( Which is nothing but a VLAN A, VLAN B, Vlan C. on MSFC )
Data flow :-- ISP RTR---INternal RTR---FWSM---IDSM---MSFC---CSM---
IDSM version is 5.1(4)S257.0,
This will support only Two VLAN (IN and OUT) on access mode.
My problem is I don't know how to scan the traffic of 3 numbers of VLAN (A,B,C).
Cisco 6509 --- Version 12.2(18)SXF7,Hi Udaya,
I am not able to find out any subinterface.
I think it is available from IPS 5.1 and this one is IPS5.0(2)
IDSM2CORE2(config-int)# show settin
physical-interfaces (min: 0, max: 999999999, current: 3)
name: GigabitEthernet0/2
media-type: backplane
description:
admin-state: enabled
duplex: auto
speed: auto
alt-tcp-reset-interface
none
name: GigabitEthernet0/7
media-type: backplane
description:
admin-state: enabled
duplex: auto
speed: auto
alt-tcp-reset-interface
interface-name: System0/1
name: GigabitEthernet0/8
media-type: backplane
description:
admin-state: enabled
duplex: auto
speed: auto
alt-tcp-reset-interface
interface-name: System0/1
command-control: GigabitEthernet0/2
inline-interfaces (min: 0, max: 999999999, current: 0)
bypass-mode: auto
interface-notifications
missed-percentage-threshold: 0 percent
notification-interval: 30 seconds
idle-interface-delay: 30 seconds -
IDSM with inline pairs causing mac move
Hello,
I´ve just added the IDSM-2 blades on a 6500 and configured it but it did not work as I planned.
This picture is a little scale what I tried to do, actually I had more vlans on the inspection.
I have 2 cores and a portchannel trunk in between them and for redundancy I´m using HSRP as the config shows.
After I congfigured I´ve got these msgs and I could not figure out how to stop it:
Core1
%MAC_MOVE-SP-4-NOTIF: Host 001a.a2e4.e800 in vlan 6 is flapping between port Gi6/d1 and port Po1
%MAC_MOVE-SP-4-NOTIF: Host 001a.a2e4.e800 in vlan 7 is flapping between port Gi6/d1 and port Po1
MAC 001a.a2e4.e800 is from Core2
Core2
%MAC_MOVE-SP-4-NOTIF: Host 0022.557b.c340 in vlan 6 is flapping between port and port Po1
%MAC_MOVE-SP-4-NOTIF: Host 0022.557b.c340 in vlan 7 is flapping between port Po1 and port
Mac 0022.557b.c340 is from Core1
There was only one VLAN pair that did not have this problem, which was the VLAN L2 for the ISP router and the VLAN Outside for the FWSM . It also was the only VLAN that did not have HSRP working, I dont know if it has something to do.
The Core 1 is the STP Root with priority of Zero and the Core 2 is the Backup Root with priority 4096
Any guesses ?I see this log message frequently when using a switch to feed an IPS sensor if the same Ethernet frame is entering the same VLAN on two different interfaces. I can;t tell how your traffic is flowing but I think you have the same issue.
In my case it was not anything to worry about so I just ignored the messages.
- Bob -
IDSM-2 Inline Configuration Setup
Hi ,
Anyone has experience on INLINE configuation for IDSM-2. I have a setup where user vlan (L3) resides in FWSM @ Data Center switch and IDSM resides in another 6509 switch which connects to INTERNET.
Both of these 6509 switch communicates via OSPF.
Any help appreciated.
Thank you
RamaHi,
The IDSM is a Layer two bridge. It will install in vlan 1644 like....
vlan 1644 hosts ----->(dataport0/7) IDSM -----> (dataport0/8)vlan 1645 ------>FWSM---->other vlans
the host will be in access port of vlan 1644, while its gateway interface will be configured with the same subnet ip address on other new vlan 1645....
example:
vlan 1645
exit
int vlan 1645
ip add 10.17.168.1 255.255.255.0
exit
intrusion-detection module 1 data-port 1 access-vlan 1644
intrusion-detection module 1 data-port 2 access-vlan 1645
thanks,
Aman -
Diverting traffic to IDSM for inline IPS mode
I have a catalyst 6500 swtich containing FWSM and IDSM-2 module. Vlan 1000 is the outside interface for the fwsm to which all bussiness servers are mapped (vlan 900, inside interface of fwsm).
I want to inline IPS all the traffic going to these bussiness servers.
I have no issue with IPS configuration.
Could you please guide me with a configuration for 6500 switch for diverting this traffic.
I can provide 6500 configs if required.
An example would be appreciated.I'm not sure if this is relevant to your situation, but here is how I have a gateway 6K switch set up with an external 4255 IPS device. You should be able to substitute the IDMS2 though.
Internet -> port 1/2 Vlan 5 -> port 3/1 Vlan 5 -> 4255 vlan pair to -> port 3/2 Vlan 2 -> MSFC Route Module -> rest of vlans internal...
What I am doing in bringing my uplink in on a physical port that is in Vlan 5. I put one side of my IPS sensor into Vlan 5. These two ports are the only ports in Vlan 5. The IPS sensor port is vlan paired through the sensor to a port in Vlan 2. From this point, my MSFC route module has virtual interfaces for Vlan 2 and all of the rest of my internal Vlans. There is no route entry for Vlan 5, it is a pure switching vlan.
What I like about this setup is that the IPS is transparent. If I have a problem with my IPS device or if I am doing an image upgrade, I can move the vlan for port 1/2 into Vlan 2 and logically bypass the IPS device...taking it out of inline without having to change anything else in the switch config and only having to wait for the spanning tree to converge.
For the IDSM2, since the ports are trunk ports, you'd want to set the native vlan to the target vlan of each port and set the allowed vlans to just the target vlan of each port (ports 7 & 8).
Hope this is useful,
Scott -
IDSM-2, inline and Passive mode in same Module?
Hi,i have a question that it can be strange.in our network we have implemented idsm-2 module in our 6513 Switch in inline mode.without any discution about network design suppose that our network is going beyond IDSM-2 Throughput and then we want to use IDSM-2 for some traffic in Passive mode insted of inline to reduce drop probability in inline mode.i mean before this state we were using idsm-2 data port 1(in vlan pair mode),now can we use data port 2 for this purpus(capturing some traffic on data port 2 for passive operation)? in other word idsm-2 can operate in this way?
i found my answer in idsm-2 document "You can mix sensing modes on IDSM-2. For example, you can configure one data port for promiscuous mode and the other data port for inline VLAN pair mode. But because IDSM-2 only has two data ports and inline mode requires the use of both data ports as a pair, you cannot mix inline mode with either of the other two modes." but something else,for doing such thing suppos that i have sig 2004 configured for inline traffic to deny attacker inline then this action doesnt make any sense for some data in passive mode and suppos that for that kind of traffic which idsm-2 is operating in passive mode i want to just send an alert. so can i use deferent VS for doing this? thanks.
Maybe you are looking for
-
How do I connect MacBook Air to external display?
What methods are available to connect a MacBook Air to an external display?
-
Where can I find the relation between company code and plant?
where can I find the relation between company code and plant? I need to the list of plants under a company code. Which table?
-
How do you set up and generate address labels in pages?
How do you set up and generate address labels using Pages?
-
Just got a new iphone5. Why are addresses for every e-mail I've sent for the past 2 days added to my contact list -- not just once, but twice!? How can I stop this from happening?
-
I can't open certain websites in Sarari
I use some websites for work that are somewhat protected, and one of them is telling me I can't open it in Safari and I need Internet Explorer 7 or newer. Is there a fix or something I can do to open these sites?