Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
448
Views
0
Helpful
3
Replies

IDSM-2 before FWSM in 6509 switch

Go to solution
blackhat2020
Level 1
Level 1

‎12-08-2008 05:53 AM - edited ‎03-10-2019 04:24 AM

Hi every one.in my network i have 6509 switch witch it is connected with access layer switches.connection between access layes switches and 6509 is trunk port.for all vlans,interfcae vlan in 6509 is shutdown and in FWSM all interface vlan X has ip address witch is default gateway of servers connected to access layer switches.my problem is that i want to inspect all vlans traffic before they goes to FWSM but i dont know how to monitor multiple vlans that they are recived via trunk port on 6509 and all vlan interfcaes has ip address only in the FWSM.???

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni

‎12-13-2008 06:05 AM

You need to break your existing VLANs into two. Lets say existing vlans are 100 to 110. You need to make 10 new vlans, lets say 200 to 210. Then you need to bridge both of them on the IDSM. The 10X VLANs will remain on the access layer switches. However the FWSM SVIs will change from interface vlan 1xx to interface vlan 2xx. Allow 2xx VLANs on the FWSM trunk (Via the firewall-group command) and both the 1xx and 2xx commands on the IDSM trunk (Via the intrusion-detection command).

Regards

Farrukh

View solution in original post

0 Helpful
3 Replies 3

Go to solution
mchin345
Level 6
Level 6

‎12-12-2008 09:43 AM

Packets will flow normally through the system and into the service module. The service module will act normally upon the packets according to its application, such as firewall, NAM, IDS, and others. However, if a packet is forwarded out of the service module onto a VLAN with packet re-circulation, it may be dropped without reaching its next destination module

The same holds true for packets generated by the service module for management or monitoring traffic, such as SNMP traps, IDS alarms, and others. Any such traffic which is generated by the service module and transmitted out onto a VLAN with packet re-circulation may be dropped.

For further information click this link.

http://www.cisco.com/en/US/ts/fn/610/fn61935.html

0 Helpful

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni

‎12-13-2008 06:05 AM

You need to break your existing VLANs into two. Lets say existing vlans are 100 to 110. You need to make 10 new vlans, lets say 200 to 210. Then you need to bridge both of them on the IDSM. The 10X VLANs will remain on the access layer switches. However the FWSM SVIs will change from interface vlan 1xx to interface vlan 2xx. Allow 2xx VLANs on the FWSM trunk (Via the firewall-group command) and both the 1xx and 2xx commands on the IDSM trunk (Via the intrusion-detection command).

Regards

Farrukh

0 Helpful

Go to solution
nkariyawasam
Level 1
Level 1
In response to Farrukh Haroon

‎01-01-2009 10:28 PM

Hi,

Just to add something..Hope that the IP addresses of the FWSM SVIs to remain the same eventhough now they are residing in a differant VLAN.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card