07-24-2010 10:26 PM - edited 03-10-2019 05:04 AM
Here is my network setup
firewall<---- >(g1/2)Coreswitch 6500 with IDSM(TG9/1)<-----> (TG9/1) Distrib switch with FWSM---------Accessswitch
configuration in core switch
interface GigabitEthernet1/2.11
description **** ****
encapsulation dot1Q 211
ip vrf forwarding VRF11
ip address 10.2.11.73 255.255.255.248
ip ospf network point-to-point
standby 1 ip 10.2.11.75
standby 1 priority 110
standby 1 preempt
08-04-2010 11:41 AM
I believe the issue is because of the config below:
interface GigabitEthernet1/2.11
description **** ****
encapsulation dot1Q 211
ip vrf forwarding VRF11
ip address 10.2.11.73 255.255.255.248
ip ospf network point-to-point
standby 1 ip 10.2.11.75
standby 1 priority 110
standby 1 preempt
IDSM2 in inline mode necessitates an additional artificial Vlan on the SAME subnet as the Vlan you wish to sense.
A layer 3 switch interface needs to be configured within this additional artificial Vlan.
In a nutshell, we need to create 2 Vlans that share one same ip subnet and put SVI on only one of the Vlans.
In your case you will need one ip between vlans 211 & 311 in VRF 11 to force the data to go through the IDSM.
I can understand if this is a bit tricky to understand.
Please go through my design document for IDSM inline mode, which explains the basic concepts and packet walk in detail.
It will explain why we need the above and how arp makes the mac-address table populate correct entries, (with one ip subnet for 2 vlans) so that traffic goes through the IDSM.
https://supportforums.cisco.com/docs/DOC-12206
- Sid
08-05-2010 09:37 PM
Hi Sid , i can understand what you have suggested ,but still it is in the production it take sometime to implement . i read your design document for IDSM inline mode it's good.Thank you sid for your wonder full help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: