IPS 6.0 inline on IDSM2

Unanswered Question
Jul 28th, 2008
User Badges:

Hi All,


We are trying to deploy inline vlan pair method on IDSM2 with the below setup


1)IDSM Side Config


service interface

physical-interfaces GigabitEthernet0/7

no description

default-vlan 100

subinterface-type inline-vlan-pair

subinterface 1

description test

vlan1 200

vlan2 201

exit

!

virtual-sensor vs0

physical-interface GigabitEthernet0/7 subinterface-number 1


2) Switch side


intrusion-detection module 2 data-port 1 trunk allowed-valn 200,201


where vlan 200(L2) is assigned to an access port which in turn connected to an laptop with ip address 10.10.23.2/30,while L3 SVI with vlan 201 is created on switch with ip address 10.10.23.1/30. When we tried to ping 10.10.23.1 from laptop,we couldn't


Is there any config or wrong in the setup performed above for inline setup


Any help would be really appreciated


Thanks


Regards

Anantha Subramanian Natarajan



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
marcabal Mon, 07/28/2008 - 14:01
User Badges:
  • Cisco Employee,

By default the vlan 201 SVI will go down if the only ports in the vlan are the SVI and IDSM-2 ports. The SVI ignores/excludes the IDSM-2 ports when trying to detect other ports on the vlan and the autostate feature will bring down the SVI interface if no other interface exists on the vlan.


However, this can be configured by the user to force the SVI to include (rather than exclude/ignore) the IDSM-2 ports so then the SVI will come up even if the IDSM-2 is the only other interface in the vlan.


intrusion-detection module module_number data-port 1 autostate include


Here is the section from the user guide talking about this command:

http://www.cisco.com/en/US/partner/docs/security/ips/6.1/configuration/guide/cli/cli_idsm2.html#wp1032690

-[no] intrusion-detection module module_number data-port {1 | 2} autostate include


Includes (or excludes) the specified data port in the autostate calculation. When included, the switch virtual interface associated with an MSFC or WLAN port remains up while the module's data port is enabled. When excluded, the switch virtual interface associated with the MSFC or WAN port goes down if the specified module's data port is the only active port in the VLAN. The default is no include.


anasubra_2 Mon, 07/28/2008 - 17:35
User Badges:

Hi Marcabal,


Thank you very much


Regards

Anantha Subramanian Natarajan

dinesh.das Mon, 07/28/2008 - 22:13
User Badges:

Hi Marcabal,

Any document is available on FWSM and IDSM-2 inline Vlan pair config.

marcabal Tue, 07/29/2008 - 07:01
User Badges:
  • Cisco Employee,

No specific docment for FWSM and IDSM-2 that I am aware of.


but this mainly because the FWSM would just be treated as any other machine on the vlan.


Usual deployment models would be something like the following.

Assume the FWSM has interfaces on 3 vlans:

vlan 100 outside

vlan 200 dmz

vlan 300 inside


You decide you want the IDSM-2 to do inline monitoring on both the dmz and inside interfaces.


So you create vlans 201 and 301.

Create inline vlan pair for 200 and 201, and a second inline vlan pair 300 and 301.


Now move all of your DMZ machines from vlan 200 to vlan 201.

Move all of your Internal machines from vlan 300 to vlan 301.


Assign the vlan 200 and 201 pair to virtual sensor vs0.


Now create a new virtual sensor vs1, and assign the vlan 300 and 301 pair to virtual sensor vs1.


The IDSM-2 is now monitoring all traffic going between your FWSM and your DMZ servers, as well as monitoring all traffic going between your FWSM and Internal machines.


NOTE: Any time an Internal machine connects to a DMZ server the traffic is actually monitored twice. Once in vs1 for the 300/301 pair, and again in vs0 for the 200/201 pair.



Now let's change it up a bit, and say that you also want to monitor the "outside" interface on vlan 100 as well.


But there is no direct connections from the switch to vlan 100, and instead the switch itself has an SVI on vlan 100. So the Switch's SVI, and the FWSM are the only things on vlan 100.


You would create vlan 101.

Remove the SVI from vlan 100.

And instead create an SVI on vlan 101 with the same IP as the SVI you removed from vlan 100.

Now create an inline vlan pair with 100 and 101 on the IDSM-2.

Create a new virtual sensor vs2, and put the inline vlan pair for 100 and 101 into vs2.

And from your previous post you now know that you also need to execute the "autostate include" command for the IDSM-2 port in order for the switch to being up it's SVI on vlan 101.



NOTE: It is always recommended to use a different virtual sensor fo monitoring each side of the firewall/FWSM (or in other words a separate virtual sensor for each network).

With 4 virtual sensors, you can monitor 4 different networks this way.

If you try to monitor multiple networks in the same virtual sensor it can confuse the sensor. In the previous example where an Internal machine connects to a DMZ server the traffic for that connection gets seen twice. With each network in a separate virtual sensor, the sensor just treats these as 2 separate connections. But if you put both the Inside and DMZ networks into a single virtual sensor, then by DEFAULT it will try to treat the traffic as a single connection. This confuses the sensor because it sees the same packets again after the firewall, but they have been modified by the firewall. The sensor thinks this could be hacker activity and could wind up denying the packets and stopping the connection.

HOWEVER, there is a way around this problem in case you do have to wind up with multiple networks in the same virtual sensor. There is a configuration command "inline-TCP-session-tracking-mode" that is part of the virtual sensor configuration. Changing this configuration to "interface-and-vlan" will tell the sensor to NOT track it as a single connection, but instead track it as 2 separate connections (one connection on the Internal network, and a second connection on the DMZ network). This keeps the sensor from being confused.



Hope this all helps in getting your IDSM-2 deployed.



dinesh.das Tue, 07/29/2008 - 23:09
User Badges:

Hi,


Thank you for your reply, it is really helpful


In my scenario, i want to monitor the traffic for Inside interface, VLAN 300 and i created one vlan 301.

I have multiple vlan on 6500 with CSM and other stuffs. I can not change these vlan from interface, default route to Internet context 0 0 XX.XX.300.3 on switch ( Ip configured on FW context inside interface)


As you said traffic, flow should be user---Valn 301---IDSM---Valn 300---FWSM--- Internet


Here is the problem, how to divert the traffic toward the VALN 301.

Any suggestions.


marcabal Wed, 07/30/2008 - 06:00
User Badges:
  • Cisco Employee,

In order to get your internal traffic to go through the IDSM-2 to get to the FWSM then you only have 2 options.


Option 1) Move all of your internal machines to vlan 301. This could be a lot of moving of interfaces to that new vlan. And if you have multiple swtches with this vlan, then the change has to be across all of the switches. But understand that it is only the vlan assignment on the switch that needs to be changed. The IP Addresses and Routes do NOT change. The boxes continue to use their same IP Addresses and they continue to use the same Routes.



Option 2) Leave the Internal network on vlan 300, and instead change the FWSM interface to be on 301 instead of 300.


Option 2 can often be an easier method since only the FWSM's configuration has to change.

dinesh.das Thu, 07/31/2008 - 04:42
User Badges:

Option one is right,

for second, It is possible only if all servers are in same vlan either 300 0r 301


In my 6500 not all host are in VLAN 300, we have 1-50 vlan for servers. my client want to monitor traffic from VLAN 1-50 to vlan 300. On 65k we are diverting the traffic with the help of 0 0 x.x.300.3 (Ip configured on FW context inside interface)

I think in this condition second option will not work.


Actions

This Discussion