cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1311
Views
5
Helpful
25
Replies

IDSM EtherChannel Question

jcrussell
Level 3
Level 3

In the config guide for the IDSM, it states:

To make sure that the same traffic is assigned to the two data ports on each IDSM-2, you must assign the

same EtherChannel index to both data ports on each of the IDSM-2s even though they are in different

EtherChannel groups.

Can anyone tell me how to change the EtherChannel index? I have successfully assigned the data ports to a port channel, but I cannot figure out how to change the EtherChannel index.

1 Accepted Solution

Accepted Solutions

I would recommend to re-initialize both IDSM in SW2 from scratch and then try. OR As a test you can let go of etherchannel and configure only ONE of them to test things out. I would also recommend to keep the spanning tree settings to the default and not change the cost etc.

Regards

Farrukh

View solution in original post

25 Replies 25

Farrukh Haroon
VIP Alumni
VIP Alumni

The 'note' mentioned in the configuration guide is a little misleading. By index they mean interface index of the data port (1 or 2). At least this is my understanding.

e.g.

intrusion-detection module 4 data-port 1 channel-group 5

intrusion-detection module 4 data-port 2 channel-group 6

intrusion-detection module 5 data-port 1 channel-group 5

intrusion-detection module 5 data-port 2 channel-group 6

They are just telling us not to worry about the 'two' data ports of the IDSM-2 being in TWO different etherchannel groups. We have to make sure that 'first data port' on both IDSM-2 is assigned to the same group and the second data port (data-port 2) is assigned to the same group and not mix it around like this:

intrusion-detection module 4 data-port 1 channel-group 6

intrusion-detection module 4 data-port 2 channel-group 5

intrusion-detection module 5 data-port 1 channel-group 5

intrusion-detection module 5 data-port 2 channel-group 6

Please rate if helpful.

Regards

Farrukh

That makes more sense, and that is how I have it configured. Strangely, one set of IDSM modules is working, and the other is not. Oh well, I guess I need to take it down another path. Thanks for your help.

If you could post your related configuration and topology, maybe me or someone might be able to help.

Regards

Farrukh

Ok, sorry about the delay in posting configs. Here we go.

SW1 contains IDSM units 1 and 2, and is working fine.

SW2 contains IDSM units 3 and 4, and is not working.

Both switches are running Adv Enterprise 12.2(33)SXH.

All IDSM are running 6.1(1)E2.

SW1 is peering with an ME6524 over the VLANS I am trying to inspect, and the peering works fine. SW2 is peering with an ME6524 over the VLANS I am trying to inspect, and the peering keeps going up and down. CDP shows the neighbor just fine. Here is the output from the console.

SW2#

Oct 27 07:52:43.693: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.254.253.13 (Vlan255) is up: new adjacency

SW2#

Oct 27 07:54:03.204: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.254.253.13 (Vlan255) is down: Interface Goodbye received

SW2#

Oct 27 07:54:07.484: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.254.253.13 (Vlan255) is up: new adjacency

Are regular pings working THROUGH this IDSM? (you should employ simple testing before troubleshooting why eigrp is not forming adjacencies).

Is it possible to post the configuration of the IDSM and the 'show run | inc instrusion' of the host switch.

Regards

Farrukh

Pings are not working through the IDSM on switch number 2. They do work on switch 1. I posted the configs of all 4 IDSM units and "sh run | i intru" in the attached zip file in my previous post. I can repost if it is not working for you.

I saw your configurations, seem OK. Can you tell me your setup in more details?

X >>> VLAN 255 IPS >> VLAN 256 >> Y

what is X and Y? what are the IPs? Are the corresponding switchports set to the correct VLAN? Can you see MACs through the IPS (layer 2)? e.g. doing a 'show arp'

Regards

Farrukh

Ok. The ME6524 has interface vlan256. It is 10.254.253.13/30. It has an access port in vlan 256 plugged in to g7/43 on SW2. G7/43 is an access port in vlan 256. SW2 has an SVI in interface vlan 255.

The setup is pretty much the same on SW1. It has an SVI on vlan 254. SW1 G7/43 is an access port in vlan 253. An ME6524 is plugged in to that port on SW1, and it has an SVI on vlan 253 with an access port on vlan 253 plugged in to SW1.

The ARP table for SW1 shows itself and the ME6524. The ARP table for SW2 shows itself and 'Incomplete' for the ME6524.

When I do a "packet display" on the IPS unit module 3 in SW2, I see the 6509 ARPs go out looking for the ME6524, but no returns. I am seeing the ARPs on both interfaces in module 3. In module 4, I see both the ME6524 and the 6509 sending EIGRP packets to 224.0.0.10, no matter which interface I sniff.

I would recommend to re-initialize both IDSM in SW2 from scratch and then try. OR As a test you can let go of etherchannel and configure only ONE of them to test things out. I would also recommend to keep the spanning tree settings to the default and not change the cost etc.

Regards

Farrukh

I completely blew away the configs and reconfigured, and it is working now. Not sure what it was, because I just copied and pasted the configs back in! Anyway, thanks for your help happs.

I'm glad its working now :). And thanks to Microsoft for teaching us the 'restart and fix' technique :).

Regards

Farrukh

Well, it looks like I spoke too soon. Once I took the IDSMs out of bypass mode, they will not pass TACACS traffic. Other traffic will pass, but I cannot get my switches to talk to the ACS box. I can ping, SSH, RDP, etc but no TACACS. Any ideas?

The TACACS stops working once the IPS stops inspecting or when it is in bypass mode?

There are some TCP normalizaion signatures that have a 'Deny' action by default, maybe they are denying this trafic. You can either remove the deny action from all those signatures (using a few clicks only) or make an event action filter for this particular client/server flow.

Regards

Farrukh

It stops working when I take the IPS out of bypass mode and have it inspect traffic.

I will try an event action filter and see what happens. :)

Ok, another update.

It appears that in the second switch with IPS 3 and IPS 4, the traffic is not taking the same path as it does in switch 1. In switch 1, traffic between 2 certain hosts uses just IPS 1, like I would expect. In switch 2, I see traffic between 2 certain hosts going through IPS 3 in one direction, and IPS 4 in the other. So that leads me to think there is something wrong with the EtherChannel load balancing. Thoughts?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: