Bridging FWSM VLAN via IDSM

Answered Question
Feb 5th, 2009

I have briged the FWSM VLANs ( named DMZ,DMZ-BRIDGE) via the IDSM. However, on the 'show failover' on FWSM the server VLAN shows as 'No Link/Unknown'. Is it because there is no IP assigned. Is it the right status/configuration. Do I need to assign an IP to the bridged VLAN. Please assist.

This host: Primary - Active

Interface DMZ-BRIDGE (0.0.0.0): No Link (Not-Monitored)

Other host: Secondary - Standby Ready

Interface DMZ-BRIDGE (0.0.0.0): Unknown (Not-Monitored)

I have this problem too.
0 votes
Correct Answer by Syed Iftekhar Ahmed about 7 years 10 months ago

You got it right..

Just make sure there is no path around the IDSM (Traffic shouldnt by pass IDSM).

On IDSM (using IDM/CLI) create a vlan pair and assign it to interface gigabitethernet0/7.

Syed

Correct Answer by Syed Iftekhar Ahmed about 7 years 10 months ago

No

Only Vlan 10 & 20 will be defined on FWSM and will be delegated from switch.

IDSM will do L2 bridging and it will bridge vlan 20 & 30.

Same IP network will exist on vlan 20 & 30.

Syed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (6 ratings)
Loading.
Syed Iftekhar Ahmed Thu, 02/05/2009 - 21:42

All interfaces of FWSM should have IP addressed assigned to it.

I think you are doing it wrong. You dont bridge FWSM Vlans.

Lets suppose your FWSM has vlan 10 & Vlan 20 and you are bridging vlan 20 & Vlan 30 using IDSM then FWSM needs IPs for both Vlan 10 & 20.

vlan 10 --- (outside)FWSM(inside)---vlan 20--IDSM--Vlan30 -- Servers .

This way IDSM is inline between FWSM & Server Vlan.

Syed Iftekhar Ahmed

cisco_lite Fri, 02/06/2009 - 00:20

Ok.

Taking your example, wouldn't vlan30 be defined on the FWSM and assigned to it as well via firewall vlan-group on the switch.

So, do I need to assign the ip to Vlan30. Vlan30 is showing as 'No Link/Unknown' on the 'show failover' command in FWSM.

Thanks.

Correct Answer
Syed Iftekhar Ahmed Fri, 02/06/2009 - 02:03

No

Only Vlan 10 & 20 will be defined on FWSM and will be delegated from switch.

IDSM will do L2 bridging and it will bridge vlan 20 & 30.

Same IP network will exist on vlan 20 & 30.

Syed

cisco_lite Fri, 02/06/2009 - 03:29

Design/Performance Query.

Current design is

1) Front End Web/Application Servers segment

2) Backend Authentication and application database segment

3) Backend infrastructure database segment.

Lot of intercommunication happens between these segments. Is it feasible to apply IDSM to all the flows (or will that be too heavy - I know it requires actual transaction numbers not available now). ASA IPS is already inspecting the traffic coming from internet onto Application/Web Servers segment.

I would like to use IDSM for the backend. So is it ok if I were to apply IDSM to all traffic coming into segment # 2 and segment # 3 regardless of where is it coming from.

Thanks.

cisco_lite Fri, 02/06/2009 - 05:20

Hello Iftekhar,

Could you also please let me know that if I were to use IDSM between ACE Client/Server VLAN, how can I achieve it.

Using the above example, Vlan20 is the ACE client Vlan and Vlan30 is the Server Vlan. Vlan20 is the interface/SVI on FWSM. How can I bridge/inspect traffic between Vlan20 & Vlan30 thru IDSM.

Thanks.

Syed Iftekhar Ahmed Fri, 02/06/2009 - 11:25

In most of the data centers IDSM could be a bottleneck due to its 600Mbps(Promiscuous) & 500Mbps(inline) limitation.

If its placed inline and has no capacity to process new packets then like any other inline device it will start dropping packets.

In your case you need to know the throughput needed between segments.

If you are not sure then dont use IDSM in inline mode.

In promiscouous mode, using VACL you can define traffic to be examined by Sensor using ACLs.

Although IPS exist at the WAN/Internet Layer, its still desirable to have IPS/IDS at service layer to protect resources from getting compromised.

When we say bridging vlans using IDSM then we mean IDSM in inline mode. In case of ACE if you want to use IDSM inline then you will bridge server vlan interface of ACE & Actual Server Vlans.

Vlan X (client vlan) ACE (Server Vlan)Vlan Y IDSM (Real Server Vlan) Vlan Z

In the above example you will bridge vlan Y & Z.Since you are bridging the two vlans, Same IP address space will be used in the two Vlans.

Syed

cisco_lite Fri, 02/06/2009 - 12:01

Got it.

My current scenario is that the real servers are connected to the ACE server vlan. Please review my steps below if I were to do the above change for the migration (i.e. to include the IDSM in existing setup)

Existing VLANs

ACE Client VLAN - VLAN10

ACE Server VLAN - VLAN20

Steps

1) Create another VLAN on CAT6500 say VLAN30

2) Move all the ports in VLAN20 into VLAN30 (i.e. all real servers are connected to VLAN30 instead of VLAN20)

3) IDSM will bridge VLAN20/30 with following command on the switch

intrusion-detection module 7 data-port 1 trunk allowed-vlan 20,30

That's all.

Please advise whether anything else is required for the migration (inline mode).

Thanks.

Correct Answer
Syed Iftekhar Ahmed Fri, 02/06/2009 - 12:26

You got it right..

Just make sure there is no path around the IDSM (Traffic shouldnt by pass IDSM).

On IDSM (using IDM/CLI) create a vlan pair and assign it to interface gigabitethernet0/7.

Syed

cisco_lite Fri, 02/06/2009 - 12:36

In case, the inline mode disrupts Production environment, and I want to deactivate the IDSM while maintaining all the three VLANs intact (passing the traffic without IPS inspection) and avoiding any major change, what would be the simplest way to do so.

Is it just to undo 'On IDSM (using IDM/CLI) create a vlan pair and assign it to interface gigabitethernet0/7.'

Is that it ?

cisco_lite Sat, 02/07/2009 - 11:38

Thanks.

Not an easy way out in Production.

How about disabling all the signatures.

Syed Iftekhar Ahmed Sun, 02/08/2009 - 15:34

Disabling the signature will only make IDSM not trigger an action for a matched traffic.

What if traffic needed to be processed by IDSM is more than its Processing capacity?

As I said earlier its not just IDSM, any device you use inline can drop packets if it recieves packet beyond its processing power. If you remove any inline device from any topology, you have to make L2/L3 adjustments.

Syed Iftekhar Ahmed

Actions

This Discussion