10-20-2008 08:43 AM - edited 03-10-2019 04:20 AM
Hi all,
We have 6509 with FWSM and IDSM.All vlans (servers,voice,users etc) are homed directly on the FWSM.We need to protect the serverfarm vlan from attacks originating from both inside and outside. All traffic comming from outside and headed for the servers as well as traffic from user vlans needs to be intercepted.So i am planning to put IDSM in inline vlan pair mode.Also i want the internet traffic first to hit fwsm and then idsm.
Single digit vlan exist on MSFC, double digit vlans pushed to FWSM. Bridging done by IDSM
MSFC
----
vlan 2
name SERVER-IDSM
vlan 3
name INTERNET-IDSM
vlan 4
name USER-IDSM
vlan 22
name SERVER-FWSM
vlan 33
name INTERNET-FWSM
vlan 44
name USER-FWSM
intrusion-detection module 4 data-port 1 trunk allowed-vlan 3,4
// Here vlan 3 (Internet) goes into IDSM and then FWSM. But i want traffic from internet to go to FWSM and then IDSM
interface g2/3
switchport
switchport mode access
switchport access vlan 3
description INTERNET
IDSM
----
conf t
service interface
physical-interfaces g0/2
admin-state enabled
description INTERNET
duplex full
speed 1000
subinterface-type inline-vlan-pair
subinterface 1
vlan1 4 //bridging
vlan2 44
description INSPECT-USER-TRAFFIC
subinterface 2
vlan1 3 //briding
vlan 33
description INSTECT-INTERNET-TRAFFIC
service analysis-engine
virtual-sensor
physical-interface g0/2 subinterface-number 1
physical-interface g0/2 subinterface-number 2
My primary aim is :-
1) All user traffic should first go to FWSM and then to IDSM and then if OK to servers
2) All internet traffic (from outside) headed to servers should first go to FWSM and then IDSM and then if OK to servers
How can this be achieved? I think the configuration posted above places IDSM in front of FWSM which is opposite of what i want
Regards.
Sonu,
10-24-2008 10:22 AM
By deploying the FWSM in front of the server farm, security is provided both to and from the server farm and between each server farm tier. I think the config you have provided will work.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide