Using IDSM with FWSM in multiple context

Unanswered Question
Jan 26th, 2009

Hi,

I would like to know whether it is possible to use IDSM across two distinct contexts in FWSM.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (3 ratings)
Loading.
Syed Iftekhar Ahmed Mon, 01/26/2009 - 12:27

Yes you can.

In promiscous mode you tap the required traffic (All fwsm context Vlans) at Switch and copy that traffic to IDSM.

Syed

cisco_lite Mon, 01/26/2009 - 12:40

Thanks Syed.

If I were to use inline mode, when there are distinct active contexts across two FWSMs; will it be possible.

Syed Iftekhar Ahmed Mon, 01/26/2009 - 14:35

Yes you can.

You can configure IDSM-2 in inline VLAN pair mode. IDSM-2 performs VLAN bridging between pairs of VLANs within the same data port operating as an 802.1q trunk.

IDSM-2 has two data ports (sensing ports).

You can configure IDSM-2 to simultaneously bridge up to 255 VLAN pairs on each data port.

So with two sensing ports you can have 2 x 255

inline vlan pairs.

(Obviously its not recommended to have so many vlan pairs. Remember that IDSM throughput is hardly 500Mbps and it can easily become a bottleneck in front of FWSM which has much higher throughput)

HTH

Syed

cisco_lite Mon, 01/26/2009 - 15:26

Thanks.

Once more for clarity.

Lets say contextA is active on FWSM1 placed in Cat6500(1) and contextB is active on FWSM2 placed in Cat6500(2). IDSM(1) is installed on Cat6500(1) and IDSM(2) is installed on Cat6500(2).

Can both the active contexts on different FWSM be inspected by the IDSM simultaneously. Which IDSM shall inspect which FWSM. Is it 1 to 1 and 2 to 2.

Syed Iftekhar Ahmed Mon, 01/26/2009 - 17:04

Unlike FWSM/ACE where you could have one FWSM active & other standby, In IDSM there are no such states.

You will have to extend all FWSM & IDSM vlans over trunk between two switches and then configure STP (Spanning tree protocol)such taht it will make one path in forwarding mode and other in Blocking mode.

For example if context1 is active in SW1 & standby in SW2. Then STP will ensure that link b/w Active context1 (of SW1) & IDSM(of SW1) is in forwarding state & link between b/w stdby context1 (of SW2) & IDSM(of SW2) is in blocking state.

Syed

cisco_lite Tue, 01/27/2009 - 08:03

Would you be able to provide a short example of extending FWSM/IDSM vlans over the trunk and configuring STP where different active contexts reside on both the FWSMs.

Actions

This Discussion