Solved: Dual IDSM and dual FWSM

nkariyawasam · ‎05-03-2009

I have two 65XX core switches in HSRP config. Both switches has FWSMs configured in Active and failover mode.

Both the switches has IDSM-2 as well. IDSM-2 in active switch will do the traffice analysis. It is supposed to change-over during failure of active core switch.

In active IDSM-2, active FWSM has been configured as a blocking device.

Can the IDSM-2 in standby switch also configre the same active FSWM unit ? ( In this case both IDSMs controlls the same FWSM.

marcabal · ‎05-03-2009

No, you should not configure 2 sensors to control the same firewall (or router or switch).

The 2 sensors will wind fighting for control of the firewall and remove each other's block commands in some situations.

So you have 2 choices.

1) Configure each IDSM-2 to only control it's associated FWSM.

or

2) Configure one IDSM-2 as the Master Blocking sensor and the other IDSM-2 as the Block Forwarding sensor. The Master Blocking sensor will control both FWSMs. You will lose all Blocking if te Master Blocking sensor goes down for some reason. There is no "failover" mechanism for the other IDSM-2 to take over.

View solution in original post

marcabal · ‎05-03-2009

No, you should not configure 2 sensors to control the same firewall (or router or switch).

The 2 sensors will wind fighting for control of the firewall and remove each other's block commands in some situations.

So you have 2 choices.

1) Configure each IDSM-2 to only control it's associated FWSM.

or

2) Configure one IDSM-2 as the Master Blocking sensor and the other IDSM-2 as the Block Forwarding sensor. The Master Blocking sensor will control both FWSMs. You will lose all Blocking if te Master Blocking sensor goes down for some reason. There is no "failover" mechanism for the other IDSM-2 to take over.