only some of the traffic passing through inline vlan pair

Unanswered Question
Jul 24th, 2010

Here is my network setup

   firewall<---- >(g1/2)Coreswitch 6500 with IDSM(TG9/1)<-----> (TG9/1) Distrib switch with FWSM---------Accessswitch


configuration in core switch

interface GigabitEthernet1/2.11

description **** ****

encapsulation dot1Q 211

ip vrf forwarding VRF11

ip address 10.2.11.73 255.255.255.248

ip ospf network point-to-point

standby 1 ip 10.2.11.75

standby 1 priority 110

standby 1 preempt

interface GigabitEthernet1/2.37
description **** ****
encapsulation dot1Q 237
ip vrf forwarding VRF37
ip address 10.2.37.73 255.255.255.248
ip ospf network point-to-point
standby 1 ip 10.2.37.75
standby 1 priority 110
standby 1 preempt
interface TenGigabitEthernet9/1.11
description ****   ****
encapsulation dot1Q 311
ip vrf forwarding VRF11
ip address 10.2.11.2 255.255.255.252
ip ospf network point-to-point
interface TenGigabitEthernet9/1.12
description ****   ****
encapsulation dot1Q 312
ip vrf forwarding VRF12
ip address 10.2.12.2 255.255.255.252
ip ospf network point-to-point
configuration in Distribution switch:
interface TenGigabitEthernet9/1.11
description ****  ****
encapsulation dot1Q 311
ip vrf forwarding VRF11
ip address 10.2.11.1 255.255.255.252
no ip route-cache
ip ospf network point-to-point
interface TenGigabitEthernet9/1.37
description ********
encapsulation dot1Q 337
ip vrf forwarding VRF37
ip address 10.2.37.1 255.255.255.252
no ip route-cache
ip ospf network point-to-point
i  have seggregated  n/w like this. i am using inline vlan  pair , to pass all the traffic through the IDSM module ,
i am using the monitoring port gi0/8
config in core switch
------------------------------
intrusion-detection module 8 data-port 2 trunk allowed-vlan 211-260,311-360
IDSM
-------
physical-interfaces GigabitEthernet0/8
subinterface-type inline-vlan-pair
subinterface 11
description
vlan1 211
vlan2 311
exit
subinterface 37
description
vlan1 237
vlan2 337
exit
Problem i am facing is , some of the vlan-pair traffic passing through the IDSM some of the traffic are not passing , here i have given the statistics
MAC statistics from interface GigabitEthernet0/8
   Statistics From Subinterface 11
      Statistics From Vlan 211
         Total Packets Received On This Vlan = 0
         Total Bytes Received On This Vlan = 0
         Total Packets Transmitted On This Vlan = 0
         Total Bytes Transmitted On This Vlan = 0
      Statistics From Vlan 311
         Total Packets Received On This Vlan = 0
         Total Bytes Received On This Vlan = 0
         Total Packets Transmitted On This Vlan = 0
         Total Bytes Transmitted On This Vlan = 0
Statistics From Subinterface 37
      Statistics From Vlan 237
         Total Packets Received On This Vlan = 3189658726
         Total Bytes Received On This Vlan = 64165872092928
         Total Packets Transmitted On This Vlan = 3549575166
         Total Bytes Transmitted On This Vlan = 64165872092928
      Statistics From Vlan 337
         Total Packets Received On This Vlan = 3549575166
         Total Bytes Received On This Vlan = 64165872092928
         Total Packets Transmitted On This Vlan = 3189658726
         Total Bytes Transmitted On This Vlan = 64165872092928
   Statistics From Subinterface 38
      Statistics From Vlan 238
         Total Packets Received On This Vlan = 2215151150
         Total Bytes Received On This Vlan = 64165872092928
         Total Packets Transmitted On This Vlan = 126546964
         Total Bytes Transmitted On This Vlan = 64165866995200
      Statistics From Vlan 338
         Total Packets Received On This Vlan = 126546964
         Total Bytes Received On This Vlan = 64165866995200
         Total Packets Transmitted On This Vlan = 2215151150
         Total Bytes Transmitted On This Vlan = 64165872092928
Give me idea experts , so that i can resolve this issue.
Help me thanks in advance
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Siddharth Chand... Wed, 08/04/2010 - 11:41

I believe the issue is because of the config below:

interface GigabitEthernet1/2.11

description **** ****

encapsulation dot1Q 211

ip vrf forwarding VRF11

ip address 10.2.11.73 255.255.255.248

ip ospf network point-to-point

standby 1 ip 10.2.11.75

standby 1 priority 110

standby 1 preempt

encapsulation dot1Q 311
ip vrf forwarding VRF11
ip address 10.2.11.2 255.255.255.252
ip ospf network point-to-point
interface TenGigabitEthernet9/1.12
description ****   ****
encapsulation dot1Q 312
ip vrf forwarding VRF12
ip address 10.2.12.2 255.255.255.252
ip ospf network point-to-point

As you can see we have 2 ip subnets in the VRF 11 .73 &  .2 in vlan 211 & 311 respectively.
The switch is doing intervlan routing directly without having to go through the IDSM for VRF 11.
What we need to remember is IDSM does not do routing, and it can only bridge vlans.
Hence we have to force to packet to go through the IDSM.

Here is what we do when we use IDSM to see traffic going between vlans.:
Normally, with vlans, and IDSM inline mode, we have one IP subnet and 2 Vlans.

IDSM2 in inline mode necessitates an additional artificial Vlan on the  SAME subnet as the Vlan you wish to sense.

A layer 3 switch  interface  needs to be configured within this additional artificial Vlan.

In a nutshell, we need to create 2 Vlans that share one same ip subnet and put SVI on only one of the Vlans.

In your case you will need one ip between vlans 211 & 311 in VRF 11 to force the data to go through the IDSM.

I can understand if this is a bit tricky to understand.

Please go through my design document for IDSM inline mode, which explains the basic concepts and packet walk in detail.

It will explain why we need the above and how arp makes the mac-address table populate correct entries, (with one ip subnet for 2 vlans) so that traffic goes through the IDSM.

https://supportforums.cisco.com/docs/DOC-12206

- Sid

Vijayakumar Govindan Thu, 08/05/2010 - 21:37

Hi Sid , i can understand what you have suggested ,but still it is in the production it take sometime to implement . i read your design document for IDSM inline mode it's good.Thank you sid for your wonder full help.

Actions

This Discussion