I have briged the FWSM VLANs ( named DMZ,DMZ-BRIDGE) via the IDSM. However, on the 'show failover' on FWSM the server VLAN shows as 'No Link/Unknown'. Is it because there is no IP assigned. Is it the right status/configuration. Do I need to assign an IP to the bridged VLAN. Please assist.
This host: Primary - Active
Interface DMZ-BRIDGE (0.0.0.0): No Link (Not-Monitored)
Other host: Secondary - Standby Ready
Interface DMZ-BRIDGE (0.0.0.0): Unknown (Not-Monitored)
Solved! Go to Solution.
All interfaces of FWSM should have IP addressed assigned to it.
I think you are doing it wrong. You dont bridge FWSM Vlans.
Lets suppose your FWSM has vlan 10 & Vlan 20 and you are bridging vlan 20 & Vlan 30 using IDSM then FWSM needs IPs for both Vlan 10 & 20.
vlan 10 --- (outside)FWSM(inside)---vlan 20--IDSM--Vlan30 -- Servers .
This way IDSM is inline between FWSM & Server Vlan.
Syed Iftekhar Ahmed
Taking your example, wouldn't vlan30 be defined on the FWSM and assigned to it as well via firewall vlan-group on the switch.
So, do I need to assign the ip to Vlan30. Vlan30 is showing as 'No Link/Unknown' on the 'show failover' command in FWSM.
Current design is
1) Front End Web/Application Servers segment
2) Backend Authentication and application database segment
3) Backend infrastructure database segment.
Lot of intercommunication happens between these segments. Is it feasible to apply IDSM to all the flows (or will that be too heavy - I know it requires actual transaction numbers not available now). ASA IPS is already inspecting the traffic coming from internet onto Application/Web Servers segment.
I would like to use IDSM for the backend. So is it ok if I were to apply IDSM to all traffic coming into segment # 2 and segment # 3 regardless of where is it coming from.
Could you also please let me know that if I were to use IDSM between ACE Client/Server VLAN, how can I achieve it.
Using the above example, Vlan20 is the ACE client Vlan and Vlan30 is the Server Vlan. Vlan20 is the interface/SVI on FWSM. How can I bridge/inspect traffic between Vlan20 & Vlan30 thru IDSM.
In most of the data centers IDSM could be a bottleneck due to its 600Mbps(Promiscuous) & 500Mbps(inline) limitation.
If its placed inline and has no capacity to process new packets then like any other inline device it will start dropping packets.
In your case you need to know the throughput needed between segments.
If you are not sure then dont use IDSM in inline mode.
In promiscouous mode, using VACL you can define traffic to be examined by Sensor using ACLs.
Although IPS exist at the WAN/Internet Layer, its still desirable to have IPS/IDS at service layer to protect resources from getting compromised.
When we say bridging vlans using IDSM then we mean IDSM in inline mode. In case of ACE if you want to use IDSM inline then you will bridge server vlan interface of ACE & Actual Server Vlans.
Vlan X (client vlan) ACE (Server Vlan)Vlan Y IDSM (Real Server Vlan) Vlan Z
In the above example you will bridge vlan Y & Z.Since you are bridging the two vlans, Same IP address space will be used in the two Vlans.
My current scenario is that the real servers are connected to the ACE server vlan. Please review my steps below if I were to do the above change for the migration (i.e. to include the IDSM in existing setup)
ACE Client VLAN - VLAN10
ACE Server VLAN - VLAN20
1) Create another VLAN on CAT6500 say VLAN30
2) Move all the ports in VLAN20 into VLAN30 (i.e. all real servers are connected to VLAN30 instead of VLAN20)
3) IDSM will bridge VLAN20/30 with following command on the switch
intrusion-detection module 7 data-port 1 trunk allowed-vlan 20,30
Please advise whether anything else is required for the migration (inline mode).
In case, the inline mode disrupts Production environment, and I want to deactivate the IDSM while maintaining all the three VLANs intact (passing the traffic without IPS inspection) and avoiding any major change, what would be the simplest way to do so.
Is it just to undo 'On IDSM (using IDM/CLI) create a vlan pair and assign it to interface gigabitethernet0/7.'
Is that it ?
Disabling the signature will only make IDSM not trigger an action for a matched traffic.
What if traffic needed to be processed by IDSM is more than its Processing capacity?
As I said earlier its not just IDSM, any device you use inline can drop packets if it recieves packet beyond its processing power. If you remove any inline device from any topology, you have to make L2/L3 adjustments.
Syed Iftekhar Ahmed