×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

IDSM EtherChannel Question

Answered Question
Oct 24th, 2008
User Badges:
  • Silver, 250 points or more

In the config guide for the IDSM, it states:


To make sure that the same traffic is assigned to the two data ports on each IDSM-2, you must assign the

same EtherChannel index to both data ports on each of the IDSM-2s even though they are in different

EtherChannel groups.


Can anyone tell me how to change the EtherChannel index? I have successfully assigned the data ports to a port channel, but I cannot figure out how to change the EtherChannel index.

Correct Answer by Farrukh Haroon about 8 years 9 months ago

I would recommend to re-initialize both IDSM in SW2 from scratch and then try. OR As a test you can let go of etherchannel and configure only ONE of them to test things out. I would also recommend to keep the spanning tree settings to the default and not change the cost etc.


Regards


Farrukh



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Farrukh Haroon Fri, 10/24/2008 - 23:34
User Badges:
  • Red, 2250 points or more

The 'note' mentioned in the configuration guide is a little misleading. By index they mean interface index of the data port (1 or 2). At least this is my understanding.


e.g.


intrusion-detection module 4 data-port 1 channel-group 5

intrusion-detection module 4 data-port 2 channel-group 6

intrusion-detection module 5 data-port 1 channel-group 5

intrusion-detection module 5 data-port 2 channel-group 6


They are just telling us not to worry about the 'two' data ports of the IDSM-2 being in TWO different etherchannel groups. We have to make sure that 'first data port' on both IDSM-2 is assigned to the same group and the second data port (data-port 2) is assigned to the same group and not mix it around like this:


intrusion-detection module 4 data-port 1 channel-group 6

intrusion-detection module 4 data-port 2 channel-group 5

intrusion-detection module 5 data-port 1 channel-group 5

intrusion-detection module 5 data-port 2 channel-group 6


Please rate if helpful.


Regards


Farrukh

jcrussell Sat, 10/25/2008 - 06:57
User Badges:
  • Silver, 250 points or more

That makes more sense, and that is how I have it configured. Strangely, one set of IDSM modules is working, and the other is not. Oh well, I guess I need to take it down another path. Thanks for your help.

Farrukh Haroon Sat, 10/25/2008 - 18:50
User Badges:
  • Red, 2250 points or more

If you could post your related configuration and topology, maybe me or someone might be able to help.


Regards


Farrukh

jcrussell Mon, 10/27/2008 - 06:16
User Badges:
  • Silver, 250 points or more

Ok, sorry about the delay in posting configs. Here we go.


SW1 contains IDSM units 1 and 2, and is working fine.


SW2 contains IDSM units 3 and 4, and is not working.


Both switches are running Adv Enterprise 12.2(33)SXH.


All IDSM are running 6.1(1)E2.


SW1 is peering with an ME6524 over the VLANS I am trying to inspect, and the peering works fine. SW2 is peering with an ME6524 over the VLANS I am trying to inspect, and the peering keeps going up and down. CDP shows the neighbor just fine. Here is the output from the console.


SW2#

Oct 27 07:52:43.693: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.254.253.13 (Vlan255) is up: new adjacency

SW2#

Oct 27 07:54:03.204: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.254.253.13 (Vlan255) is down: Interface Goodbye received

SW2#

Oct 27 07:54:07.484: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.254.253.13 (Vlan255) is up: new adjacency




Attachment: 
Farrukh Haroon Mon, 10/27/2008 - 07:04
User Badges:
  • Red, 2250 points or more

Are regular pings working THROUGH this IDSM? (you should employ simple testing before troubleshooting why eigrp is not forming adjacencies).


Is it possible to post the configuration of the IDSM and the 'show run | inc instrusion' of the host switch.


Regards


Farrukh

jcrussell Mon, 10/27/2008 - 07:07
User Badges:
  • Silver, 250 points or more

Pings are not working through the IDSM on switch number 2. They do work on switch 1. I posted the configs of all 4 IDSM units and "sh run | i intru" in the attached zip file in my previous post. I can repost if it is not working for you.

Farrukh Haroon Mon, 10/27/2008 - 07:22
User Badges:
  • Red, 2250 points or more

I saw your configurations, seem OK. Can you tell me your setup in more details?


X >>> VLAN 255 IPS >> VLAN 256 >> Y


what is X and Y? what are the IPs? Are the corresponding switchports set to the correct VLAN? Can you see MACs through the IPS (layer 2)? e.g. doing a 'show arp'


Regards


Farrukh

jcrussell Mon, 10/27/2008 - 07:35
User Badges:
  • Silver, 250 points or more

Ok. The ME6524 has interface vlan256. It is 10.254.253.13/30. It has an access port in vlan 256 plugged in to g7/43 on SW2. G7/43 is an access port in vlan 256. SW2 has an SVI in interface vlan 255.


The setup is pretty much the same on SW1. It has an SVI on vlan 254. SW1 G7/43 is an access port in vlan 253. An ME6524 is plugged in to that port on SW1, and it has an SVI on vlan 253 with an access port on vlan 253 plugged in to SW1.


The ARP table for SW1 shows itself and the ME6524. The ARP table for SW2 shows itself and 'Incomplete' for the ME6524.


When I do a "packet display" on the IPS unit module 3 in SW2, I see the 6509 ARPs go out looking for the ME6524, but no returns. I am seeing the ARPs on both interfaces in module 3. In module 4, I see both the ME6524 and the 6509 sending EIGRP packets to 224.0.0.10, no matter which interface I sniff.

Correct Answer
Farrukh Haroon Mon, 10/27/2008 - 12:45
User Badges:
  • Red, 2250 points or more

I would recommend to re-initialize both IDSM in SW2 from scratch and then try. OR As a test you can let go of etherchannel and configure only ONE of them to test things out. I would also recommend to keep the spanning tree settings to the default and not change the cost etc.


Regards


Farrukh



jcrussell Mon, 10/27/2008 - 13:48
User Badges:
  • Silver, 250 points or more

I completely blew away the configs and reconfigured, and it is working now. Not sure what it was, because I just copied and pasted the configs back in! Anyway, thanks for your help happs.

Farrukh Haroon Mon, 10/27/2008 - 22:14
User Badges:
  • Red, 2250 points or more

I'm glad its working now :). And thanks to Microsoft for teaching us the 'restart and fix' technique :).


Regards


Farrukh

jcrussell Fri, 10/31/2008 - 19:23
User Badges:
  • Silver, 250 points or more

Well, it looks like I spoke too soon. Once I took the IDSMs out of bypass mode, they will not pass TACACS traffic. Other traffic will pass, but I cannot get my switches to talk to the ACS box. I can ping, SSH, RDP, etc but no TACACS. Any ideas?

Farrukh Haroon Sat, 11/01/2008 - 06:57
User Badges:
  • Red, 2250 points or more

The TACACS stops working once the IPS stops inspecting or when it is in bypass mode?


There are some TCP normalizaion signatures that have a 'Deny' action by default, maybe they are denying this trafic. You can either remove the deny action from all those signatures (using a few clicks only) or make an event action filter for this particular client/server flow.


Regards


Farrukh

jcrussell Mon, 11/03/2008 - 06:37
User Badges:
  • Silver, 250 points or more

It stops working when I take the IPS out of bypass mode and have it inspect traffic.


I will try an event action filter and see what happens. :)


Ok, another update.


It appears that in the second switch with IPS 3 and IPS 4, the traffic is not taking the same path as it does in switch 1. In switch 1, traffic between 2 certain hosts uses just IPS 1, like I would expect. In switch 2, I see traffic between 2 certain hosts going through IPS 3 in one direction, and IPS 4 in the other. So that leads me to think there is something wrong with the EtherChannel load balancing. Thoughts?


Farrukh Haroon Tue, 11/04/2008 - 02:33
User Badges:
  • Red, 2250 points or more

Technically the same source/dest pair should be served by the same IPS if the network has everything configured properly. It seems you have assymetric routing, can you post the output of:


show etherchannel load-balance


Regards


Farrukh

jcrussell Tue, 11/04/2008 - 05:48
User Badges:
  • Silver, 250 points or more

SW1 (the one that seems to be load balancing properly)


SW1#sh etherchannel load-balance

EtherChannel Load-Balancing Configuration:

src-dst-ip enhanced

mpls label-ip


EtherChannel Load-Balancing Addresses Used Per-Protocol:

Non-IP: Source XOR Destination MAC address

IPv4: Source XOR Destination IP address

IPv6: Source XOR Destination IP address

MPLS: Label or IP



SW2 (the one that seems to not be load balancing properly)


SW2#sh etherchannel load-balance

EtherChannel Load-Balancing Configuration:

src-dst-ip enhanced

mpls label-ip


EtherChannel Load-Balancing Addresses Used Per-Protocol:

Non-IP: Source XOR Destination MAC address

IPv4: Source XOR Destination IP address

IPv6: Source XOR Destination IP address

MPLS: Label or IP


Farrukh Haroon Tue, 11/04/2008 - 07:14
User Badges:
  • Red, 2250 points or more

What are you inline normalizer settings in the virtual sensor?


Regards


Farrukh

jcrussell Tue, 11/04/2008 - 07:17
User Badges:
  • Silver, 250 points or more

My Inline TCP Session Tracking Mode is Interface and VLAN.


My Normalizer Mode is Strict Evasion Protection.


You think the Normalizer should be in Asymmetric Mode Protection?

Farrukh Haroon Tue, 11/04/2008 - 18:55
User Badges:
  • Red, 2250 points or more

Yes that would be worth a try (At least to test if it does the trick).


Regards


Farrukh

jcrussell Tue, 11/11/2008 - 07:13
User Badges:
  • Silver, 250 points or more

Ok, way late update. Asymmetric mode works. I have a TAC case open, and they have moved it from the security team to the switching team, ad they think it is a load balancing issue, not an IDSM issue. :(

Farrukh Haroon Thu, 11/13/2008 - 01:27
User Badges:
  • Red, 2250 points or more

Ok thats great, keep us posted :)


Regards


Farrukh

jcrussell Tue, 11/18/2008 - 13:25
User Badges:
  • Silver, 250 points or more

Ok, another update. I have been working with TAC for a while now. I had 3 total TAC engineers on a WebEx session doing ELAM superman captures on the switch. We observed traffic from A to B selecting one interface in the EtherChannel, but traffic from B to A selects the other interface in the EtherChannel. So they are going to get together back there in RTP and work out a solution. In other words, I am still not inspecting traffic. :(

Farrukh Haroon Tue, 11/18/2008 - 19:16
User Badges:
  • Red, 2250 points or more

Thanks for the update. Must be something wrong with their EC hashing or spanning tree I guess.


Regards


Farrukh

Farrukh Haroon Wed, 11/26/2008 - 23:16
User Badges:
  • Red, 2250 points or more

Thanks for the update.


Pretty cryptic description written by the TAC engineer tough.


Regards


Farrukh

Actions

This Discussion