IDSM Traffic Exclusion

Unanswered Question
Apr 28th, 2010

Is it possible to exclude traffic which be default goes to IDSM. I have following scenario:


LAN-->IDSM->FWSM-->Server VLAN


IDSM and FWSM are in one single chassis and all the traffic coming from LAN is captured and forwarded to IDSM before it hits FWSM. I need to exclude some traffic that should not get captured and gets forwarded to IDSM but should hit FWSM directly.


Following configuration exist currently:


vlan access-map idsm-map 10

match ip address idsm-acl

action forward captured


access-list ext idsm-acl

10 permit ip any any


I was thinking of doing following for exclusion:


vlan access-map idsm-map 10

match ip address idsm-acl

action forward captured


vlan access-map idsm-map 20

match ip address idsm-acl-1

action forward


access-list ext idsm-acl

1 deny any host 10.1.1.1

10 permit ip any any


access-list ext idsm-acl-1

10 permit ip any host 10.1.1.1


Will later configuration stop any traffic for destination 10.1.1.1 bypass IDSM or is there any other way aroud to achieve this on IDSM itself.


Later

Omair

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Ronald Anthony Fri, 04/30/2010 - 12:59

Hi Omair,


I think you are going about this the correct way.  You don't want to send traffic to the IDSM that is not intended to go through the IDSM.  What you describes sounds good...you will just have to add "ip" to your access-list statement:


access-list ext idsm-acl

1 deny any host 10.1.1.1  --should be 1 deny ip any host 10.1.1.1

10 permit ip any any


The traffic to 10.1.1.1 will not match this clause and so it won't be captured but will match the next clause and be forwarded.  Of course, your second access-list could have been "10 permit ip any any" and it would work since all that should make it to this clause is traffic to 10.1.1.1.  Assuming everything else is correct in your configuration, it should work.


Regards,


RA

oqureshi Sat, 05/01/2010 - 02:03

I little confuse from your reply as you didnt say anything about second vlan map, below is the final configs that I understand might be correct, please correct me if I am wrong


vlan access-map idsm-map 10

match ip address idsm-acl

action forward captured


vlan access-map idsm-map 20

match ip address idsm-acl-1

action forward


access-list ext idsm-acl

1 deny ip any host 10.1.1.1

10 permit ip any any


access-list ext idsm-acl-1

10 permit ip any host 10.1.1.1

Ronald Anthony Mon, 05/03/2010 - 09:58

Hi Omair,


Not sure, I understand.  I did discuss the second map statement:


The traffic to 10.1.1.1 will not match this clause and so it won't be captured but will match the next clause and be forwarded.  Of course, your second access-list could have been "10 permit ip any any" and it would work since all that should make it to this clause is traffic to 10.1.1.1.  Assuming everything else is correct in your configuration, it should work.


I am referring to each vlan map statement as "clause".  So, you did this right...the single host traffic won't match the first clause (vlan map) and will proceed to the next clause (vlan map statement).  I don't see a problem with your configuration except, the missing "ip" in the access-list.


Does that make sense?


Regards,


RA

Actions

This Discussion