6509 - IDSM-2 inline vlan pair mode at layer 3

Unanswered Question
Jan 26th, 2010

I am a little green, so be nice.

wondering how to get an IDSM-2 module inline on a 6509. my issue is that the traffic comes into the 6509 at layer3 (routed) so I'm not sure how the config works. (e.g. do I use a trunk, or do I have to add a in a hop somehow)

6509 conf snippet:

intrusion-detection module 7 data-port 1 trunk allowed-vlan 3127,3128

vlan 3127
name FIREWALL-IPS

vlan 3128
name FIREWALL

interface Port-channel2
description CAB2
ip address 10.30.2.2 255.255.255.0
ip helper-address 10.10.20.11
ip helper-address 10.10.20.13
ip helper-address 10.30.123.11
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
glbp 2 ip 10.30.2.1
glbp 2 timers msec 250 msec 750
glbp 2 priority 120
glbp 2 preempt delay minimum 60
glbp 2 load-balancing weighted
glbp 2 weighting track 89 decrement 50
glbp 2 weighting track 99 decrement 50
glbp 2 forwarder preempt delay minimum 60

interface GigabitEthernet1/9
description FIREWALL
switchport
switchport access vlan 3128
switchport mode access
no ip address

interface GigabitEthernet8/9
description CAB2SW1-Gi1/0/49
no ip address
channel-group 2 mode on

interface GigabitEthernet9/9
description CAB2SW1-Gi1/0/50
no ip address
channel-group 2 mode on


interface Vlan3128
description FIREWALL
ip address 10.30.128.2 255.255.255.0
no ip redirects
no ip unreachables
ip flow ingress
no ip igmp snooping
glbp 128 ip 10.30.128.1
glbp 128 timers msec 250 msec 750
glbp 128 priority 120
glbp 128 preempt delay minimum 60
glbp 128 load-balancing weighted
glbp 128 forwarder preempt delay minimum 60

IDSM-2 conf snippet:

service interface
physical-interfaces GigabitEthernet0/7
description data-port 1
subinterface-type inline-vlan-pair
subinterface 1
description FIREWALL VLAN3127<->VLAN3128
vlan1 3127
vlan2 3128

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
arrowstreet_capital Thu, 01/28/2010 - 10:23

A colleague of mine explained how to do this and it mostly makes sense. My only confusion is that once you remove the access vlan (3128) from the interface that gets monitored and replace it with 3127, how does traffic still traverse the 3128 vlan? What is the mechanism that controls this, is it the command "intrusion-detection module 7 data-port 1 trunk allowed-vlan 3127,3128" ??

Actions

This Discussion