Hi.

I dont think you can use the same VLAN ID in multiple pairs. You cannot use VLAN D as per the above example in all the pairs.

You might need to create dummy L2 vlans for everyvlan that you want to monitor. Move the IP address from the actual VLAN interface to the newly created vlan interface.

e.g. If you have

interface vlan A

ip address A.A.A.A .......

You will have to create a VLAN X.

vlan x

interface vlan x

ip address A.A.A.A ......

Now use the IDSM to configure pairing between A and X

IDSM will simply bridge the two vlans together.

HTH.

Hi,

As mentioned my front end is FWSM--MSFC--, so i don't have any ip address assigned on that vlan it is just a L2 vlan, so now what ?

One more thing, which I want to clarify, is that VLAN Pair configuration provides the Hardware bypass.

your dummy vlan (for every fwsm vlan) will be the actual end user vlan. (switchport access vlan command).

IDSM-2 will just bridge the dummy vlan with the actual vlan in pair.

Vinod

Vinod,

My actual VLAN 10 and i created one more dummy VALN 101, so do I need to change the FWSM configuration also like

From

firewall module 1 vlan-group 1,2,3

firewall vlan-group 2 10 100

To

firewall module 1 vlan-group 1,2,3

firewall vlan-group 2 101 100

so the data flow is just like VLAN10--IDSM2---VLAN 101--FWSM--MSFC

and

correct me if i am wrong, VLAN pair configuration is not available with IDSM-5, i think we need to upgrade the IDSM 5 to 6 and what about Hardware bypass? is hardware bypass is available with VLAN pair?

Please provide me the link for any configuration document of VLAN pair with IDSM-5

Dinesh

The link for IDSM running 5.1 which has provision for inline vlan pair http://www.cisco.com/en/US/docs/security/ips/5.1/configuration/guide/cli/cliguide.html

Thanks

Udaya

Hi Udaya,

I am not able to find out any subinterface.

I think it is available from IPS 5.1 and this one is IPS5.0(2)

IDSM2CORE2(config-int)# show settin

physical-interfaces (min: 0, max: 999999999, current: 3)

-----------------------------------------------

name: GigabitEthernet0/2

-----------------------------------------------

media-type: backplane

description:

admin-state: enabled

duplex: auto

speed: auto

alt-tcp-reset-interface

-----------------------------------------------

none

-----------------------------------------------

-----------------------------------------------

-----------------------------------------------

-----------------------------------------------

name: GigabitEthernet0/7

-----------------------------------------------

media-type: backplane

description:

admin-state: enabled

duplex: auto

speed: auto

alt-tcp-reset-interface

-----------------------------------------------

interface-name: System0/1

-----------------------------------------------

-----------------------------------------------

name: GigabitEthernet0/8

-----------------------------------------------

media-type: backplane

description:

admin-state: enabled

duplex: auto

speed: auto

alt-tcp-reset-interface

-----------------------------------------------

interface-name: System0/1

-----------------------------------------------

-----------------------------------------------

-----------------------------------------------

command-control: GigabitEthernet0/2

inline-interfaces (min: 0, max: 999999999, current: 0)

-----------------------------------------------

-----------------------------------------------

bypass-mode: auto

interface-notifications

-----------------------------------------------

missed-percentage-threshold: 0 percent

notification-interval: 30 seconds

idle-interface-delay: 30 seconds

-----------------------------------------------

Your FWSM configuration will not change and will remain as it is.

FWSM configuration

firewall module 1 vlan-group 1,2,3

firewall vlan-group 2 10 100

MSFC Configuration

Vlan 101

intrusion-detection module "slot-number" data-port "1/2" trunk allowed-vlan 10,101.

IDSM-2 configuration

Login to GUI and go to interface configuration --> VLAN pairs

Click Add.

Interface name - gigabitethernet0/7 or 0/8 (this corresponds to data port 1 or 2)

Subinterface number - 1

VLAN A - 101

VLAN B - 10

Give a description and click Apply

Next go to analysis engine - virtual sensors

select the pair you created above and click on apply. (This creates the inline vlan pair and bridges the 2 vlans).

Try generating some attacks from end user vlan (101) and see idsm-2 blocking attacks.

goodwills

Vinod

Hi Vinoth,

Ur posts are helpful for me to understand the Inline VLAN pair deployment.So then how to send log to the destination, where my IEV is installed in one of the Vlan in FWSM. Kindly provide me the config steps also..

IDSM-2 logs are sent using the management interface gig0/2. Depending on your management VLAN (either on FWSM or MSFC) where your IDSM-2 is placed, you might need to do the configuration accordingly.

Vinod

Hi Vino,

Thanks.Let say my Managent Vlan is in FWSM(VLAN 120). I need to monitor Vlan's 100, 160, 130, 140. So if that is the case..Kindly provide me configuration steps for sending logs to Mgmt Vlan 120.

Hi,

I am done with the config (Inline VLAN PAIR), but i am not able to see any logs at event viewver.

I enabled all FTP & MSN signatur but there is not logs for the same and able to access the internet services.

any one can help me out to trouble shoot the problem ?

Regards.