6509 Uplink to ASA with Vlan Pair

Answered Question
Apr 29th, 2009
User Badges:

I have the following topology:

6509---->ASA----->Internet.


My 6509 have a IDSM.


intrusion-detection module 3 management-port access-vlan 2

intrusion-detection module 3 data-port 1 trunk allowed-vlan 352,603,1352,1603


I want to put the IDSM between 6509 and ASA.

6509 have a vlan 603 where Inside ASA is connected and I already created vlan 1603 to briding with 603, this way

I put the Inside cable of the ASA to vlan 1603, before was connected on vlan 603 but when I changed vlan switchport

of the ASA (603 to vlan 1603) my vlan 603 goes down and i can't access the internet.



Vlan 603 Goes Down because there are no users connected them but I thinked that How IDSM briding 603 with 1603

this vlan 603 will be UP again, but doesn't works.


How can I configure the IDM to UP this Vlan?



Attachment: 
Correct Answer by marcabal about 7 years 12 months ago

I assume the switch itself has a vlan 603 interface, and it is this vlan 603 interface that is going down.


By default the IDSM-2's data-ports are configured for "autostate exclude" which means that is the IDSM-2 port and the switches vlan interface are the only things on the vlan, then the switch will bring down it's interface. The switch excludes the IDSM-2 interface when looking for other ports on the vlan.


There is a command:

intrusion-detection module 3 data-port 1 autostate include

With this command the IDSM-2 port will now be included in the list of ports to watch, and the switch should now bring up its vlan 603 interface.


You can see the list of available commands for the IDSM-2 here:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_idsm2.html#wp1032690

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
marcabal Thu, 04/30/2009 - 00:48
User Badges:
  • Cisco Employee,

I assume the switch itself has a vlan 603 interface, and it is this vlan 603 interface that is going down.


By default the IDSM-2's data-ports are configured for "autostate exclude" which means that is the IDSM-2 port and the switches vlan interface are the only things on the vlan, then the switch will bring down it's interface. The switch excludes the IDSM-2 interface when looking for other ports on the vlan.


There is a command:

intrusion-detection module 3 data-port 1 autostate include

With this command the IDSM-2 port will now be included in the list of ports to watch, and the switch should now bring up its vlan 603 interface.


You can see the list of available commands for the IDSM-2 here:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_idsm2.html#wp1032690

danielnunes Thu, 04/30/2009 - 07:55
User Badges:

Thank you very much for your assistance.


My issue was resolved.



Actions

This Discussion