IDSM-2 inline vlan pair mode configs

Dear all,
1. Is it possible to associate 2 vlans( to be paired) on 2 different data ports on IDSM instead of pairing it on single data port on IDSM ?? & configuring these 2 ports on CAT6509 as access ports instead of trunk... Will this thing work ?
2. Since bypass mode is ON by default(AUTO) in IDSM-2 in-line vlan pair mode but when I am testing the bypass its not happening..can any pls. guide what could be the reason for this ?
Regards,
Akhtar

You can bypass analysis engine when inline bypass is activated , allowing traffic to flow through the inline interfaces and inline VLAN pairs without inspection. Inline bypass ensures that packets continue to flow through the sensor when the sensor processes are temporarily stopped for upgrades or when the sensor monitoring processes fail. But not always.

Similar Messages

  • IDSM-2 inline VLAN pair mode

    My customer has voice, video and data VLAN's. Customer wants to inspect only inter VLAN traffic ONLY for data to be inspected by IDSM-2 inline while bypassing other VLAN traffic to FWSM and then to WAN.
    Is that possible with Inline VLAN pair mode?
    I read the cisco document which states as below
    "You can configure IDSM-2 to simultaneously bridge up to 255 VLAN pairs on each data port. IDSM-2 replaces the VLAN ID field in the 802.1q header of each packet with the ID of the VLAN on which the packet is forwarded. It drops any packets received on VLANs that are not assigned to an inline VLAN pair."
    The last statement says it will drop all other vlan traffic which are not assigned to any inline vlan pair?
    Regards
    Vinod

    You can bypass analysis engine when inline bypass is activated , allowing traffic to flow through the inline interfaces and inline VLAN pairs without inspection. Inline bypass ensures that packets continue to flow through the sensor when the sensor processes are temporarily stopped for upgrades or when the sensor monitoring processes fail. But not always.

  • 6509 - IDSM-2 inline vlan pair mode at layer 3

    I am a little green, so be nice.
    wondering how to get an IDSM-2 module inline on a 6509. my issue is that the traffic comes into the 6509 at layer3 (routed) so I'm not sure how the config works. (e.g. do I use a trunk, or do I have to add a in a hop somehow)
    6509 conf snippet:
    intrusion-detection module 7 data-port 1 trunk allowed-vlan 3127,3128
    vlan 3127
    name FIREWALL-IPS
    vlan 3128
    name FIREWALL
    interface Port-channel2
    description CAB2
    ip address 10.30.2.2 255.255.255.0
    ip helper-address 10.10.20.11
    ip helper-address 10.10.20.13
    ip helper-address 10.30.123.11
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    glbp 2 ip 10.30.2.1
    glbp 2 timers msec 250 msec 750
    glbp 2 priority 120
    glbp 2 preempt delay minimum 60
    glbp 2 load-balancing weighted
    glbp 2 weighting track 89 decrement 50
    glbp 2 weighting track 99 decrement 50
    glbp 2 forwarder preempt delay minimum 60
    interface GigabitEthernet1/9
    description FIREWALL
    switchport
    switchport access vlan 3128
    switchport mode access
    no ip address
    interface GigabitEthernet8/9
    description CAB2SW1-Gi1/0/49
    no ip address
    channel-group 2 mode on
    interface GigabitEthernet9/9
    description CAB2SW1-Gi1/0/50
    no ip address
    channel-group 2 mode on
    interface Vlan3128
    description FIREWALL
    ip address 10.30.128.2 255.255.255.0
    no ip redirects
    no ip unreachables
    ip flow ingress
    no ip igmp snooping
    glbp 128 ip 10.30.128.1
    glbp 128 timers msec 250 msec 750
    glbp 128 priority 120
    glbp 128 preempt delay minimum 60
    glbp 128 load-balancing weighted
    glbp 128 forwarder preempt delay minimum 60
    IDSM-2 conf snippet:
    service interface
    physical-interfaces GigabitEthernet0/7
    description data-port 1
    subinterface-type inline-vlan-pair
    subinterface 1
    description FIREWALL VLAN3127<->VLAN3128
    vlan1 3127
    vlan2 3128

    A colleague of mine explained how to do this and it mostly makes sense. My only confusion is that once you remove the access vlan (3128) from the interface that gets monitored and replace it with 3127, how does traffic still traverse the 3128 vlan? What is the mechanism that controls this, is it the command "intrusion-detection module 7 data-port 1 trunk allowed-vlan 3127,3128" ??

  • Hybrid 6500 IDSM-2 inline vlan pair mode

    I am having a problem understanding how a packet is going to know that it needs to get evaluated by the IDSM if it is being sent to a host on a different vlan. First lets say that the server is on a vlan that is being pair and the server host is configured with the GW address of the paired vlan. So if a different host on a different vlan sent a packet to that server how does the MSFC know to sent the packet to the paried vlan to get routed to the servers vlan instead of routing it directly to the servers vlan that is attached to it(msfc). FYI. I followed the admin guides to set this up and it does not cover design or operation packet flows.

    Cisco CatOS on the Cisco Catalyst 6500 Series with optional Cisco IOS Software on the Multilayer Switching Feature Card (MSFC) provides Layer 2/3/4 functionality for the Cisco Catalyst 6500 by integrating two operating systems. A switch running CatOS only on the Supervisor Engine is a Layer 2 forwarding device with Layer 2/3/4 functionality for QoS, security, multicast, and network management of the Policy Feature Card (PFC), but does not have any routing capabilities. Layer 3 routing functionality is provided via a Cisco IOS Software image on the MSFC routing engine (optional in Supervisor 1A and 2, and integrated within Supervisor 32 and 720.) In this paper, the combination of CatOS on the Supervisor Engine and Cisco IOS Software on the MSFC is referred to as the "hybrid" OS; two operating systems work together to provide complete Layer 2/3/4 system functionality.

  • IDSM-2 Inline Vlan Pair - Duplicate Packets

    Dear All
    We have a setup where two IDSM-2 modules are ether-channeled together in a single 6513 Chassis.
    There is an FWSM module also, which acts as the default gateway for all internal VLANs.
    Problem: IDSM show stat virtual-sensor command is showing tons of 'Duplicate Packets'
    show statistics virtual-sensor | inc Duplic
    Duplicate Packets = 2950967
    Inline TCP Tracking Mode: Interface and VLAN
    Topology:
    Assume Client VLAN = 10 and Server VLAN = 60
    IPS Inline VLAN Pairs:
    10 >> 110 (Client VLAN)
    60 >> 160 (Server VLAN)
    Client >> Server Flow: (Layer 2):
    [ClientPC] >>>> Access Switch (VLAN 10) >>>> Core SW >>>> IDSM-2 (VLAN 10--110 Pair) >>>> Core Sw >>>> FWSM VLAN 110 >>>>
    FWSM VLAN 160 >>>> Core Sw >>>> IDSM-2 (VLAN 160--60 Pair) >>>> Server Switch (VLAN 60) >>>> [Server]
    Core Switch IPS Etherchannel Setup:
    Group 5: IDSM(A) and IDSM(B) Port x/7
    Group 6: IDSM(A) and IDSM(B) Port x/8
    Some VLAN Pair(s) are on interface x/7 and others are on x/8
    Because of the above issue, we see a lot of TCP normalization signatures being fired (as the IPS gets confused with duplicate packets seen for the same flow). Specially signatures 1330:12 :17 and :18.
    It is also causing some applications to break (e.g. Veritas Netbackup 6.5). When I removed the DENY action from these signatures, our IPS started having stability issues (This could also be due to E3 upgrade)
    Should we change the Tracking mode to 'VLAN' only, OR any other possible solution?. Should not the 'interface and vlan' setting be sufficient?.
    Regards
    Farrukh

    This will take some traffic analysis to determine what is going wrong.
    You might need to place a sniffer to watch the traffic on the client where the backup software is running at the same time that you capture the traffic on the sensor.
    Look to see if there are any differences in the traffic.
    Look for any anomalies in the traffic.
    Look to see if maybe the backup software is not using a standard TCP connection (is it jumping the tcp sequence numbers in any abnormal way?)
    You might also try some things on the sensor to determine if the sensor itself might have an issue.
    Determine if the connction passes through 2 connections (inline vlan pairs) monitored by the sensor.
    If you can, you might try removing both of the pairs from the virtual sensor. (don't delete the pairs, just remove them from the virtual sensor so they won't be analyzed)
    And see if the backup works.
    If it does then just add in one pair, and see if it keeps working.
    If it has errors with just the one pair, then the problem is likely not because of the connection being monitored twice.
    Something else must be weird about the connection.
    If the problems are only seen when having both pairs in the same virtual sensor, then try placing the pairs in different virtual sensors and see if the problem goes away.
    If the problem goes away when in different virtual sensors, then there may be an error in the inline tcp session tracking code that should track connections separately for each interface/vlan.

  • IDSM-2, inline and Passive mode in same Module?

    Hi,i have a question that it can be strange.in our network we have implemented idsm-2 module in our 6513 Switch in inline mode.without any discution about network design suppose that our network is going beyond IDSM-2 Throughput and then we want to use IDSM-2 for some traffic in Passive mode insted of inline to reduce drop probability in inline mode.i mean before this state we were using idsm-2 data port 1(in vlan pair mode),now can we use data port 2 for this purpus(capturing some traffic on data port 2 for passive operation)? in other word idsm-2 can operate in this way?

    i found my answer in idsm-2 document "You can mix sensing modes on IDSM-2. For example, you can configure one data port for promiscuous mode and the other data port for inline VLAN pair mode. But because IDSM-2 only has two data ports and inline mode requires the use of both data ports as a pair, you cannot mix inline mode with either of the other two modes." but something else,for doing such thing suppos that i have sig 2004 configured for inline traffic to deny attacker inline then this action doesnt make any sense for some data in passive mode and suppos that for that kind of traffic which idsm-2 is operating in passive mode i want to just send an alert. so can i use deferent VS for doing this? thanks.

  • 4250-sx connecting to 6500 for vlan pair mode

    I am not sure if this question should be asked on the ids forum or the switching forum. Please let me know if it is the wrong place to be asking.
    Could someone perhaps help? It the first time we are configuring this setup so we need some help in configuring the SX interface on a 6500 switch.
    We would like to connect our 4250-SX ips sensor (5.1) for inline vlan pair mode to a 6500 catalyst running ios software. The switch has a fiber SC type connection. We would like to find a document that best describes how the interface on the switch should be configured for successful operation for this solution. Can someone point us to this document? We have been told that the port will need to be configured as an 802.1q trunk. Is this correct?
    We would also like to filter all unneeded vlans from propagating on to that trunk. What is the best way to do this?
    Thanks in advance

    Whether the port is fiber or copper won't really matter much.
    The first step is determine between which 2 vlans you will want to do inline vlan pair monitoring.
    The most direct solution is to pick one existing vlan, and create one brand new vlan.
    Now trunk both of these vlans on the switch port where the sensor is connected:
    Here is a basic example configuration for that switch port:
    interface GigabitEthernet1/1
    switchport
    switchport access vlan 1
    switchport trunk native vlan 1
    switchport trunk allowed vlan 100-101
    switchport mode trunk
    no ip address
    no shutdown
    exit
    Vlan 100 was the existing vlan, and vlan 101 was the newly created vlan.
    The vlan 1 settings were just to ensure the port was set back to the default of vlan 1 for the access vlan; the vlan 1 setting is not used in the vlan pairing and is not in the list of allowed vlans for the trunk port.
    NOTE: You will see that the mode must be forced to trunk. Also be aware that depending on the port you may also have to force the trunk type to 802.1q:
    "switchport trunk encapsulation dot1q"
    Now on the sensor itself you will want to create an inline vlan pair on that SX interface, and pair vlan 100 with vlan 101.
    Now remember that vlan 101 was a new vlan and is empty. So right the now the sensor is doing inline monitoring between that empty vlan and the rest of your network. The trick now is to move Some of the ports from the original vlan into that new vlan.
    If this is your first time setting this up, then I suggest you try this with a very simple network with 3 pcs that all talk to each other on the same subnet. All 3 pcs would be in the same vlan to begin with. After the steps above are done to create the new vlan and create the inline vlan pair on the sensor, the next step is to move pcs into the other vlan. So for one PC change it's switch port configuration to move just that one PC from the original vlan (100) to the new vlan (101).
    Wait a minute for spanning-tree to run.
    Now ensure that the PCs from the orginal vlan can communicate to the PC in that new vlan.
    NOTE: Both vlans are for the same IP subnet. The sensor does not IP route between the subnets, it just switches or brides packets between the 2 subnets. So the IPs on the PCs do not change as they get moved to the other vlan.
    If you run some tests you will see that the sensor will see all traffic between the PC in the new vlan talking to either of the PCs in the original vlan. But you will also find that if the 2 PCs in the original vlan talk to each other, the sensor is unlikely to see that traffic (on occasion it will, but the sensor is just receiving a copy during broadcast and multicast situations).
    Typical deployments will have something like a firewall in the original vlan, and the Internal network machines moved to the new vlan. Or if the switch itself is routing, then the switch will have it's ip address on the original vlan, and all of the other machines will be moved to the new vlan.
    You also have the option of creating additional inline vlan pairs. To do this just create a new vlan for every original vlan where you want to add inline vlan pair monitoring.
    Then just add those vlans to the trunk allowed vlan command and create the pair in the sensor configuration.
    So let's say you also wanted to pair vlans 104 and 105 together. Then the command would look like:
    switchport trunk allowed vlan 100-101,104-105
    Your question about how do you keep the unneeded vlans from propogating is answered by that same command above. The "allowed vlan" list will restrict the trunk to only carrying those vlans listed.

  • Filter Traffic using ISDM-2 Inline Mode and Inline VLAN Pairs

    Hi Everyone,
    I have a new ISDM-2 Module (Version 6.0(1)E1) and I?m thinking use Inline VLAN Pairs to bridge two vlans, in my case vlan 100 and vlan 101. Vlan 100 is the vlan used by MSFC and Vlan 101 is the vlan used by the outside of my FWSM . In this way, I think I can monitor all the traffic into and from Internet. My question is: can I choose what traffic I will analyze using this configuration ? Maybye with VACL or another way.
    Thanks in Advanced
    Andre Lomonaco

    If I understand your question correctly, I do not think you have the ability to selectively inspect the traffic with only a single pair of vlans. The IPS module is going to bridge your vlans together and you would want all traffic to go through that bridge...I don't know what mechanism you'd use to selectively direct traffic through some other bridge/route function.
    Within the IPS software you can turn off (disable AND retire) signatures that inspect traffic that you wish to ignore, the IPS will just forward the traffic through, but you don't have a fine level of granularity there.
    Scott

  • Only some of the traffic passing through inline vlan pair

    Here is my network setup
       firewall<---- >(g1/2)Coreswitch 6500 with IDSM(TG9/1)<-----> (TG9/1) Distrib switch with FWSM---------Accessswitch
    configuration in core switch
    interface GigabitEthernet1/2.11
    description **** ****
    encapsulation dot1Q 211
    ip vrf forwarding VRF11
    ip address 10.2.11.73 255.255.255.248
    ip ospf network point-to-point
    standby 1 ip 10.2.11.75
    standby 1 priority 110
    standby 1 preempt
    interface GigabitEthernet1/2.37
    description **** ****
    encapsulation dot1Q 237
    ip vrf forwarding VRF37
    ip address 10.2.37.73 255.255.255.248
    ip ospf network point-to-point
    standby 1 ip 10.2.37.75
    standby 1 priority 110
    standby 1 preempt
    interface TenGigabitEthernet9/1.11
    description ****   ****
    encapsulation dot1Q 311
    ip vrf forwarding VRF11
    ip address 10.2.11.2 255.255.255.252
    ip ospf network point-to-point
    interface TenGigabitEthernet9/1.12
    description ****   ****
    encapsulation dot1Q 312
    ip vrf forwarding VRF12
    ip address 10.2.12.2 255.255.255.252
    ip ospf network point-to-point
    configuration in Distribution switch:
    interface TenGigabitEthernet9/1.11
    description ****  ****
    encapsulation dot1Q 311
    ip vrf forwarding VRF11
    ip address 10.2.11.1 255.255.255.252
    no ip route-cache
    ip ospf network point-to-point
    interface TenGigabitEthernet9/1.37
    description ********
    encapsulation dot1Q 337
    ip vrf forwarding VRF37
    ip address 10.2.37.1 255.255.255.252
    no ip route-cache
    ip ospf network point-to-point
    i  have seggregated  n/w like this. i am using inline vlan  pair , to pass all the traffic through the IDSM module ,
    i am using the monitoring port gi0/8
    config in core switch
    intrusion-detection module 8 data-port 2 trunk allowed-vlan 211-260,311-360
    IDSM
    physical-interfaces GigabitEthernet0/8
    subinterface-type inline-vlan-pair
    subinterface 11
    description
    vlan1 211
    vlan2 311
    exit
    subinterface 37
    description
    vlan1 237
    vlan2 337
    exit
    Problem i am facing is , some of the vlan-pair traffic passing through the IDSM some of the traffic are not passing , here i have given the statistics
    MAC statistics from interface GigabitEthernet0/8
       Statistics From Subinterface 11
          Statistics From Vlan 211
             Total Packets Received On This Vlan = 0
             Total Bytes Received On This Vlan = 0
             Total Packets Transmitted On This Vlan = 0
             Total Bytes Transmitted On This Vlan = 0
          Statistics From Vlan 311
             Total Packets Received On This Vlan = 0
             Total Bytes Received On This Vlan = 0
             Total Packets Transmitted On This Vlan = 0
             Total Bytes Transmitted On This Vlan = 0
    Statistics From Subinterface 37
          Statistics From Vlan 237
             Total Packets Received On This Vlan = 3189658726
             Total Bytes Received On This Vlan = 64165872092928
             Total Packets Transmitted On This Vlan = 3549575166
             Total Bytes Transmitted On This Vlan = 64165872092928
          Statistics From Vlan 337
             Total Packets Received On This Vlan = 3549575166
             Total Bytes Received On This Vlan = 64165872092928
             Total Packets Transmitted On This Vlan = 3189658726
             Total Bytes Transmitted On This Vlan = 64165872092928
       Statistics From Subinterface 38
          Statistics From Vlan 238
             Total Packets Received On This Vlan = 2215151150
             Total Bytes Received On This Vlan = 64165872092928
             Total Packets Transmitted On This Vlan = 126546964
             Total Bytes Transmitted On This Vlan = 64165866995200
          Statistics From Vlan 338
             Total Packets Received On This Vlan = 126546964
             Total Bytes Received On This Vlan = 64165866995200
             Total Packets Transmitted On This Vlan = 2215151150
             Total Bytes Transmitted On This Vlan = 64165872092928
    Give me idea experts , so that i can resolve this issue.
    Help me thanks in advance

    I believe the issue is because of the config below:
    interface GigabitEthernet1/2.11
    description **** ****
    encapsulation dot1Q 211
    ip vrf forwarding VRF11
    ip address 10.2.11.73 255.255.255.248
    ip ospf network point-to-point
    standby 1 ip 10.2.11.75
    standby 1 priority 110
    standby 1 preempt
    encapsulation dot1Q 311
    ip vrf forwarding VRF11
    ip address 10.2.11.2 255.255.255.252
    ip ospf network point-to-point
    interface TenGigabitEthernet9/1.12
    description ****   ****
    encapsulation dot1Q 312
    ip vrf forwarding VRF12
    ip address 10.2.12.2 255.255.255.252
    ip ospf network point-to-point
    As you can see we have 2 ip subnets in the VRF 11 .73 &  .2 in vlan 211 & 311 respectively.
    The switch is doing intervlan routing directly without having to go through the IDSM for VRF 11.
    What we need to remember is IDSM does not do routing, and it can only bridge vlans.
    Hence we have to force to packet to go through the IDSM.
    Here is what we do when we use IDSM to see traffic going between vlans.:
    Normally, with vlans, and IDSM inline mode, we have one IP subnet and 2 Vlans.
    IDSM2 in inline mode necessitates an additional artificial Vlan on the  SAME subnet as the Vlan you wish to sense.
    A layer 3 switch  interface  needs to be configured within this additional artificial Vlan.
    In a nutshell, we need to create 2 Vlans that share one same ip subnet and put SVI on only one of the Vlans.
    In your case you will need one ip between vlans 211 & 311 in VRF 11 to force the data to go through the IDSM.
    I can understand if this is a bit tricky to understand.
    Please go through my design document for IDSM inline mode, which explains the basic concepts and packet walk in detail.
    It will explain why we need the above and how arp makes the mac-address table populate correct entries, (with one ip subnet for 2 vlans) so that traffic goes through the IDSM.
    https://supportforums.cisco.com/docs/DOC-12206
    - Sid

  • Help with inline VLAN Pair and switch configuration

    Hello,
    I'm new to IPS and IDS in general, but I have an IPS-4255 and a couple of Catalyst 2900 switches to experiment with. I'm currently trying to enable an Inline VLAN Pair configuration on the IPS and have a simple setup.
    SW1 and SW2 have vlans 100 and 200 configured. PC1 and PC2 are on the same IP range (no routing). PC1 on vlan 100 connects to Sw1. PC2 on vlan 200 connects to SW2. The IPS connects to a SW2 trunking port, and SW1 and SW2 are connected together on another trunking port.
    I know that my trunking is working because PC1 and PC2 can ping each other whenever they are on the same vlan of either switch. But, they can't ping when on the separate vlans.
    From what I've read, the IPS with an Inline VLAN Pair acts as a bridge between the two vlans and should forward the traffic if it passes inspection. However, the IPS does not appear to see any traffic at all.
    My IPS is configured with inline VLAN pair 100->200 and associated to vs0.
    Have I missed something in my config somewhere? Or am I misunderstanding how inline VLAN Pairs are supposed to work?
    Below are my configs for the switches and the IPS.
    Any help would be appreciated. Thank you!
    IPS Config
    service interface
    physical-interfaces GigabitEthernet0/0
    no description
    admin-state enabled
    duplex auto
    speed auto
    alt-tcp-reset-interface interface-name GigabitEthernet0/3
    subinterface-type inline-vlan-pair
    subinterface 1
    description test
    vlan1 100
    vlan2 200
    exit
    exit
    service analysis-engine
    virtual-sensor vs0
    physical-interface GigabitEthernet0/0 subinterface-number 1
    inline-TCP-session-tracking-mode vlan-only
    exit
    exit
    SW1 and SW2 config
    interface FastEthernet0/1
    switchport access vlan 100
    interface FastEthernet0/9
    switchport access vlan 200
    interface FastEthernet0/18
    switchport trunk encapsulation dot1q
    switchport mode trunk
    interface FastEthernet0/24 (Sw 2 only)
    description IPS port
    switchport trunk encapsulation dot1q
    switchport mode trunk

    It has been awhile since I've dealt with a 2900 switch to I am just trying to guess at what may be wrong with your setup.
    I noticed that neither of your trunk port configuration are specifically stating which vlans are allowed on the trunks.
    It is possible that for the trunk between the 2 switches there may be some protocol negotiation so the switches can determine which vlans to trunk, BUT no such negotiation will happen with the sensor. If I remember right you will need to specifically state which vlans the trunk to the sensor should carry. If I remember right the commmand would be something like:
    switchport trunk allowed-vlan 100,200
    You will want to find the show command on your switch that will show you which vlans are actually being trunked by the port. It might be something like "show switchport trunk"
    And you will want to verify that the switch is actually trunking vlans 100 and 200 to your sensor.
    On your sensor you will want to execute "show interfaces" and look at the statistics for Gig0/0 to see if it is receiving packets on vlan 100 and 200.
    You can also run "packet display GigabitEthernet0/0" to see if any packets are making it to your sensor.
    You will also want to check Link status and make sure your sensor is linking up properly with your switch. A common mistake is to connect the wrong ports, as some sensors do not have the port numbers clearly marked.
    NOTE: If the above doesn't help, then take the additional step of eliminating the second switch. Attach both pcs to the same SW2 switch (1 in each vlan). The second switch isn't necessary to test the inline vlan pair functionality. Connecting both PCs to the same switch will help eliminate any possibility of misconfiguration between the 2 switches.

  • IDS 4215 Inline VLAN Pair

    I am trying to configure IDS 4215 to do inline vlan pair with a Cisco 3750 Layer 3 switch.
    We have 4 vlans in the 3750, vlan 100 for workstations,vlan 200 for servers, vlan 250 for ip phones and vlan 150 for firewalls.
    All vlans have corresponding SVI with that ip been the default gateway for each vlan.
    interface Vlan1
    no ip address
    interface Vlan100
    description Workstation VLAN
    ip address 192.0.0.5 255.255.255.0 secondary
    ip address 192.0.0.254 255.255.255.0
    interface Vlan150
    description WatchGuard FW VLAN
    ip address 192.168.150.254 255.255.255.0
    interface Vlan200
    description Servers
    ip address 192.168.200.254 255.255.255.0
    interface Vlan250
    description VOICE
    ip address 192.168.250.254 255.255.255.0
    ip helper-address 192.168.200.30
    interface Vlan254
    description Management VLAN
    ip address 192.168.254.254 255.255.255.0
    My question is how do i monitor the traffic going to firewall vlan from server/workstation vlans ?
    I read a quite a bit of old topics here in this forum but could not find anything matching though there were few coming close.
    So my idea is to configure new vlan say 151 and move the firewalls to the new vlan.Then do inline vlan pair on old firewall vlan 150 and new fw vlan 151.
    Any idea its going to work ? or can i simply do 2 vlan inline pairs for fw-server and fw-workstation vlans ? Also i understand that i have to configure trunking on switch ports ?
    would appriciate any comments.

    I would recommend you proceed with your first suggestion of creating vlan 151, moving the firewall ports to vlan 151, and then placing the sensor inline between vlans 150 and 151.
    There are 2 options for placing the sensor between vlans 150 and 151: inline interface pairing, or inline vlan pairing.
    With inline interface pairing you would need the 4FE card in the IDS-4215. Create an inline interface pair using Fe2/0 and Fe2/1.
    Create an access port on vlan 150 of your switch and connect Fe2/0.
    Create an access port on vlan 151 of your switch and connect Fa2/1.
    Allow spanning-tree to run (generally between 30 and 40 seconds).
    With InLine Vlan Pairing you can do this with an IDS-4215 without needing the 4FE card.
    Create an inline vlan pair subinterface on Fe0/1 that will pair vlans 150 and 151.
    Creat an 802.1q trunk port on your switch that will trunk just vlans 150 and 151 (leave the native vlan of the trunk as vlan 1, but do not place vlan 1 in the list of allowed vlans on the trunk)
    Connect Fe0/1 to your trunk port.
    Now this will cause All traffic between your internal networks and the firewall to have to pass through the sensor. This includes your voice traffic that goes through the internet.
    The other option you mentioned of creating inline vlan pairs on your workstation vlan and your server vlans, I would not recommend with IPS 5.1.
    The inline vlan pairs would have to be created similar to the inline vlan pair I described above using vlans 150 and 151.
    You would have to create vlan 101 and pair 100 and 101.
    As well as create 201 and pair 200 and 201.
    If the workstations ONLY have connections out through the Firewall and NOT to the servers then it would be OK.
    BUT if the workstations also have connections to the servers then it will cause problems. The packets will have to pass through both the vlan 100 and 101 pair as well as the vlan 200 and 201 pair.
    When the sensor sees the same packet again after having been routed (by the switch in this case) it causes issues. The sensor sees that the packet has changed and believes that a hacker is modifying packets on the network.
    This is being addressed in IPS version 6.0 (still under development) so that vlan pair 100 and 101 can be monitored independant of vlan pair 200 and 201.
    So until IPS 6.0 is released I would suggest staying with the single vlan pair approach using vlan pair 150 and 151.

  • Issue - Inline VLAN pair IPS

    Hello everyone,
    I have an issue with an 4255 IPS using an inline VLAN pair. Here's the rough sketch of the topology:
    SW1
    port 1 access vlan 10 - PC (10.20.30.2/24)
    port 48 trunk to SW2 - all vlans allowed and forwarding
    SW2
    port 48 trunk to SW1 - all vlans allowed and forwarding
    port 1 trunk allowed vlan 10,20 to IPS g0/1 configured in inline VLAN pair; assigned to sensor etc.
    SVI vlan 20 for network 10.20.30.1/24 (up/up)
    I'm unable to ping SVI from PC. Anyone have any suggestions? Running packet display on IPS interface I only see BPDUs hitting the interface. VTP is enabled but pruning is disabled. Both vlans exist on both switches.
    I'm only seeing ARP requests from SVI on the IPS, but no replies coming from the remote switch.
    Alternatively the PC is sending ARP requests to the SVI IP, but those aren't getting resolved, nor are they getting to the IPS interface.

    Hello Yuriy
    So Topology is something like
    PC-----ACCESSPORT----SW1----TRUNK----SWITCH2
                                                                     |
                                                                     |
                                                                   IPS Inile vlan pair
    The thing is that if you already allow the vlans on the trunk link then traffic will not get inspect by the IPS,
    Do you see what I mean, you must force it to go to the IPS.
    Let me know if I was clear enough

  • IPS Interface Pairs vs. Inline VLAN Pairs

           I've got a Cisco IPS 4240 that needs to be configured inline.  Right now I've got an ASA 5525-X with two interfaces (inside and DMZ) plugged into our Catalyst 6500 Switch that need to be monitored by the IPS.  I also plugged two interfaces from the IPS into the same Catalyst switch hoping that I could use the inline VLAN pairs to monitor that traffic.  I've got several VLANs in our DMZ and LAN that need to be monitored. The problem is that I don't understand how the inline VLAN pairs are supposed to work (Cisco's IPS documentation is almost useless), I've been fighting with it for some time with no success. 
         I'm now thinking that it might be a better idea to plug the two interfaces from the ASA directly into the IPS and then create Interface Pairs from the IPS to the switch.  My concern with doing this is that I am turning the IPS into a single point of failure, if it goes down everything goes down with it.   Also, will the Interface Pairs work with a 802.1q trunk?  Would I then need to create VLAN groups for the trunk? Would using inline VLAN pairs also create a single point of failure? 
         Basically, I'd like to know the pros and cons to the Interface Pairs vs. the Inline VLAN pairs.  Interface Pairs seems like the easiest and most comprehensive way to go, but if I can avoid the single point of failure with the inline VLAN paris I would like to go that route. 

    Hello Paul,
    I want to go with Inline vlan pair,i don't want to go with interface pairing,as this is request by customer,how i can do it,as i m having a IPS-4240 with 4 gig ports,
    I have a doubt that if we create a vlan pair then in each pair 1 be a real vlan and the other should be dummy vlan ????  ( for example vlan 2 and vlan 3 in which vlan 3 is the dummy vlan). Please suggest
    If i have a 10 vlan than i will configure the 10 pair of vlan on gig0/0 with real and dummy vlan, but what vlan pair i shld configure on gig0/1 i.e (exit interface to ASA DMZ interface.)
    Thanks
    Message was edited by: adamgibs7

  • IDSM inline VLAN pairing

    We have cat 6509 switch with FWSM, IDSM-2, NAM modules. Customer wants all the internal VLAN's to be monitored by IDSM in inline mode. Customer has around 400 VLANS in datacenter and wants to monitor all communications between VLAN's. How do I monitor all VLAN's when IDSM has 2 data ports and can only span 255 vlan groups per port?
    Please suggest!
    Vinod

    I don't know if anyone is still watching this or not but that's a lot of VLANs to go through a (single?) IDSM. Technically you should be able to do it by splitting the VLAN pairs across the two data ports (i.e. vlan 2-200,1002-1200 on DP 1 and vlan 300-500,1300-1500 on DP 2). Considering each IDSM only has a throuput of 500MBps when deep scanning, you're going to potentially be limiting your throughput considerably if you do this.

  • IDSM-2 Inline VLAN configuration issue

    The SVR is on VL60, the PC is on VL80.
    So, PC(.25--VL81--GE0/7--VL80--SVI 80--SVI60--VL60--SVR(.10)
    Sensor interface GigabitEthernet0/7 is assigned to trunk all Vlans 1-4094
    CAT65K-PODX#sh ru | in intrusion
    intrusion-detection module 6 management-port access-vlan 99 intrusion-detection module 6 data-port 1 trunk allowed-vlan 1-4094 CAT65K-PODX#
    The interface is assigned to vs0.
    All I am seeing is "unknown 802.1d" when I look at the interface instead of the continuous ping I have from the PC to the SVR. (80.25 to 60.10)
    CAT65K-PODX#ses sl 6 pr 1
    The default escape character is Ctrl-^, then x.
    You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.61 ... Open
    login: cisco
    Password:
    Last login: Mon Oct 23 18:16:06 from 127.0.0.51
    ***NOTICE***
    This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.
    A summary of U.S. laws governing Cisco cryptographic products may be found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
    If you require further assistance please contact us by sending email to [email protected].
    ***LICENSE NOTICE***
    There is no license key installed on the system.
    The system will continue to operate with the currently installed signature set. A valid license must be obtained in order to apply signature updates. Please go to http://www.cisco.com/go/license to obtain a new license or install a license.
    IDSM2-PODX# pack disp gi
    gigabitEthernet0/2 gigabitEthernet0/7 gigabitEthernet0/8 IDSM2-PODX# pack disp gigabitEthernet0/7
    Warning: This command will cause significant performance degradation
    tcpdump: WARNING: ge0_7: no IPv4 address assigned
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ge0_7, link-type EN10MB (Ethernet), capture size 65535 bytes
    18:35:17.968178 802.1d unknown version
    0x0000: 0180 c200 0000 0016 9dab 3346 8100 e001 ..........3F....
    0x0010: 0079 4242 0300 0003 027c 1000 000f f863 .yBB.....|.....c
    0x0020: 8400 0000 0000 1000 000f f863 8400 8287 ...........c....
    0x0030: 0000 1400 0200 0f00 0000 5000 6369 7363 ..........P.cisc
    0x0040: 6f00 0000 0000 0000 0000 0000 0000 0000 o...............
    0x0050: 0000 0000 0000 0000 0000 0000 0001 46b6 ..............F.
    0x0060: c0ce 9a01 9392 94e2 dcc9 ca1b 3291 0000 ............2...
    0x0070: 0000 1000 000f f863 8400 147c 80 .......c...|.
    18:35:19.968666 802.1d unknown version
    0x0000: 0180 c200 0000 0016 9dab 3346 8100 e001 ..........3F....
    0x0010: 0079 4242 0300 0003 027c 1000 000f f863 .yBB.....|.....c
    0x0020: 8400 0000 0000 1000 000f f863 8400 8287 ...........c....
    0x0030: 0000 1400 0200 0f00 0000 5000 6369 7363 ..........P.cisc
    0x0040: 6f00 0000 0000 0000 0000 0000 0000 0000 o...............
    0x0050: 0000 0000 0000 0000 0000 0000 0001 46b6 ..............F.
    0x0060: c0ce 9a01 9392 94e2 dcc9 ca1b 3291 0000 ............2...
    0x0070: 0000 1000 000f f863 8400 147c 80 .......c...|.
    2 packets captured
    2 packets received by filter
    0 packets dropped by kernel
    IDSM2-PODX#

    exit
    signatures 60000 0
    alert-severity medium
    sig-fidelity-rating 75
    sig-description
    sig-name BadICMP
    sig-string-info BadICMP
    sig-comment BadICMP
    exit
    engine atomic-ip
    event-action produce-alert|log-attacker-packets
    specify-l4-protocol yes
    l4-protocol icmp
    specify-icmp-code yes
    icmp-code 8
    exit
    exit
    exit
    specify-ip-addr-options yes
    ip-addr-options ip-addr
    specify-src-ip-addr yes
    src-ip-addr 10.1.80.25
    exit
    exit
    exit
    exit
    exit
    signatures 60001 0
    alert-severity high
    sig-fidelity-rating 75
    sig-description
    sig-name Block BadICMP
    sig-string-info Block BadICMP
    sig-comment Block BadICMP
    exit
    engine atomic-ip
    event-action produce-alert|request-block-host
    specify-l4-protocol yes
    l4-protocol icmp
    specify-icmp-seq no
    specify-icmp-type no
    specify-icmp-code yes
    icmp-code 0
    exit
    specify-icmp-id no
    specify-icmp-total-length no
    exit
    specify-payload-inspection no
    exit
    specify-ip-payload-length no
    specify-ip-header-length no
    specify-ip-tos no
    specify-ip-ttl no
    specify-ip-version no
    specify-ip-id no
    specify-ip-total-length no
    specify-ip-option-inspection no
    specify-ip-addr-options yes
    ip-addr-options ip-addr
    specify-src-ip-addr yes
    src-ip-addr 10.1.80.25
    exit
    specify-dst-ip-addr no
    exit
    exit
    exit
    event-counter
    specify-alert-interval no
    exit
    alert-frequency
    summary-mode summarize
    specify-global-summary-threshold no
    exit
    exit
    status
    enabled false
    exit
    exit
    signatures 60002 0
    alert-severity high
    sig-fidelity-rating 75
    sig-description
    sig-name WatchHTTP
    sig-string-info WatchHTTP
    sig-comment WatchHTTP
    exit
    engine service-http
    service-ports 80,443
    exit
    status
    enabled false
    exit
    exit
    signatures 60003 0
    alert-severity high
    sig-fidelity-rating 75
    sig-description
    sig-name LogICMP
    sig-string-info BadICMP
    sig-comment BadICMP
    exit
    engine atomic-ip
    event-action produce-alert|log-pair-packets
    specify-l4-protocol yes
    l4-protocol icmp
    specify-icmp-seq no
    specify-icmp-type no
    specify-icmp-code no
    specify-icmp-id no
    specify-icmp-total-length no
    exit
    specify-payload-inspection no
    exit
    specify-ip-payload-length no
    specify-ip-header-length no
    specify-ip-tos no
    specify-ip-ttl no
    specify-ip-version no
    specify-ip-id no
    specify-ip-total-length no
    specify-ip-option-inspection no
    specify-ip-addr-options yes
    ip-addr-options ip-addr
    specify-src-ip-addr yes
    src-ip-addr 10.1.80.25
    exit
    specify-dst-ip-addr no
    exit
    exit
    exit
    event-counter
    specify-alert-interval no
    exit
    alert-frequency
    summary-mode summarize
    specify-global-summary-threshold no
    exit
    exit
    status
    enabled false
    exit
    exit
    exit
    service ssh-known-hosts
    rsa1-keys 10.1.80.1
    length 512
    exponent 65537
    modulus 991855327191948068336083262027767630211536570646048046207473086001594287
    45731517042852081906588402062478059658578012089704942074191546123977278518597538
    73
    exit
    exit
    service trusted-certificates
    exit
    service web-server
    port 443
    exit
    IDSM2-PODX#

Maybe you are looking for