cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1343
Views
0
Helpful
20
Replies

FWSM & IDSM2

estelamathew
Level 2
Level 2

Dear's,

Any different configuration for 6500 or IDSM-2 if i m placing with FWSM???? . I will place IDSM-2 in inline vlan pair mode,and all SVI will be created on FWSM instead of MSFC.

Any suggestion please on above design and configuration.

Thanks

20 Replies 20

estelamathew
Level 2
Level 2

Hello Dears,

Nobody has ever been before installed IDSM-2 with FWSM?????  Experts i need ur hints before implementing.

Thanks,

I have implemented a a similar configuration before, except that my IDSMs were in promiscuous mode using VACLs to capture traffic.  Also, my FWSMs were in transparent, multi-context mode.  That certainly made things more complicated.

But, no, there's not really any "special" or different configuration you will need to do.  Just remember that you will want to create 2 virtual sensors -- one for the inside network, and one for the outside.

Apart from the configuration guides for each module, as well as the 6500 config guide, I would suggest reading through some of Cisco's SAFE Reference Guide.  In particular, be sure to read the chapters for Enterprise Internet Edge (Ch. 6) and Enterprise WAN Edge (Ch. 7).

Hi,

Why we need to create 2 virtual sensors 1 for inside and 1 for outside??? Can u explain me??.

Thanks


hello.

The use of two virtual sensors would be needed if the same traffic is passing through IDSM twice.  If using just 1 virtual sensor and it sees it twice, it would drop it. You would see this using inline and if it was being bridged which would cause the traffic to be identical.

-scott

Hello,

In 1 virtual sensor also traffic is passed 2 times to IDSM-2.

Example for inline vlan pair mode.if i want to allow inter-vlan routing from vlan 100 to vlan 200.

INLINE VLAN PAIR: vlan 1 and vlan2 are real SVI interface and vlan 100 and vlan 200 are virtual just for pairing.

vlan 1 to 100

vlan 2 to 200

USER-PC                      SWITCH SVI          SWITCH SVI                       USER-PC

vlan 100----IDSM--------int vlan1 SVI --- ----int vlan2 SVI-------IDSM----vlan 200

UR help will be appreciated.

Thanks.

Message was edited by: estela mathew

hi Estela,

In your situation, having the same idsm inspect at two different points of your network with the same virtual sensor should be fine as the key part is that you are intervlan routing it.  By doing so, the packet is being altered and therefore the virtual sensor is not seeing an identical packet.  We used to see this alot in the past when inline was a new feature and people were using 1 virtual sensor for multiple points and the traffic remaining the same due to bridging.  They introduced multiple virtual sensors to get around this later on.

But with your scenario, you should not run into that problem because you are intervlan routing between the two segments.

hope that helps.

-scott

Hello Scott,

In your situation, having the same idsm inspect at two different points  of your network with the same virtual sensor should be fine as the key  part is that you are intervlan routing it.  By doing so, the packet is  being altered and therefore the virtual sensor is not seeing an  identical packet.

I did'nt understood ur reply?? The packet is being altered where ????

Can u explore more the traffic flow for normal  Intervlan routing without a FWSM and second option if i place a FWSM and my users vlan wants to access servers in DMZ vlan how the traffic flow will be.

I hope very less Engineers in community has implemented IDSM-2 with FWSM,

Awaiting ur reply.

Thanks

Hi Estela,

Since you are intervlan routing the traffic, the packet's mac addresses are altered and it ttl gets decremented, etc..  these changes are seen by your IDSM virtual sensor so it treats it as new versus seeing the exact same packet -- same mac addresses, etc if it was bridged.

The intervlan routing is the key part here to preventing the virtual sensor from seeing the same packet twice when you are setting inline on both sides.

From the perspective of the IDSM, it doesnt care whether its being intervlan routed by the switch or if the fwsm is handling the routing for those vlans.


That is probably the reason why you dont read much about this as it doesnt really know about the fwsm in the switch.  Are you running into a problem when you have both operating at the same time?

regards,

scott

Hi Scott,

Please read the thread below of  MARCABAL he is also explaining to create 2 virtual sensors if FWSM is in place,but still i m not clear with the traffic flow if IDSM and FWSM  together installed in 1 switch,

https://supportforums.cisco.com/thread/245833

By reading the above thread if u can help me to explore the traffic. For example if users vlan want to access DMZ Server vlan if FWSM is in place.

Question:Are you running into a problem when you have both operating at the same  time?

Answer: Upcoming project may be next week.

Thanks,

hi Estela,

I'm not really seeing any problem with the description of the other link.  Running with multiple virtual sensors is fine.  I was just answering your question on the reasoning behind why you need to run multiple virtual sensors.    Since the fwsm is handling the routing, the traffic will be routed by the fwsm.  Since the IDSM is only inspecting the traffic, the inline can be put anywhere.  Usually people monitor the inside and outside.  The firewall doesnt care about the IDSM monitoring the traffic.

Example:

host a sends traffic on vlan 1 which is bridged by the IDSM doing inline to vlan 2.  Vlan 2 is then intervlan routed to vlan 3 which is bridged by the same IDSM doing inline to vlan 4 where the server is.

That would be the path of the traffic flow.

thanks,

scott

Hello Scott,

Question:I was just answering your question on the reasoning behind why you need  to run multiple virtual sensors.

Answer: Uptil now I was thinking of only 1 virtual sensor but Michael Crowe in the above thread he wrote to use 2 virtual sensor 1 for inside and 1 for outside,

Can u explore when we need 2 virtual sensor when inside and outside traffic is to be monitored. As usual the traffic what i was going to monitor from user vlan to  server -DMZ vlan the same i will monitor for outside vlan then why michael post that we should have 2 virtual sensor for inside and outside.

From ur above reply can u answer the below question.

Question:We used to see this alot in the past when inline was a new feature  and people were using 1 virtual sensor for multiple points and the  traffic remaining the same due to bridging.  They introduced multiple  virtual sensors to get around this later on.

Answer ???

Thanks

Scott Nishimura
Cisco Employee
Cisco Employee

Hi Estela,

I cant really comment on the design however, since you are using intervlan routing between the two inlines, you can get away with running one virtual sensor.  You may use two virtual sensors if you want.. again, that is the reasoning for the multiple virtual sensors.

Since you have up to 4 virtual sensors, you can use two of them for this.

thanks,

scott

Hello Scott,

I appreciate ur replies and being with me to help , just need to be clear for each and every point rather being a Parrot engineer.

From ur above reply can u answer the below question.

Question:We  used to see this alot in the past when inline was a new feature  and  people were using 1 virtual sensor for multiple points and the  traffic  remaining the same due to bridging.  They introduced multiple  virtual  sensors to get around this later on.

Answer ???

Tell me any scenario with traffic flow explanation says that we need 2 virtual sensors

Thanks

hi Estela,

not a problem.. glad to help you.  the scenario that comes to mind is if you were bridging two vlans for whatever reason maybe another external device connected to the 6500 switch.  something like this:

vlan1----IDSM2-----vlan 2-----switch-------externaldevice-----switch----vlan3----IDSM2----vlan4

everything was bridged.. not sure why you would, but if it were, then the packet would be the same throughout the entire flow.

With the IDSM2, you wont really run into this much, with our external 42xx series IPS devices, you could and because the code is the same base, you would need 2 virtual sensors like this:

host A-----inline4200IPS----vlan1switch------inline4200IPS---host B

simplified.. of course.

regards,

scott

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: