Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

idsm in promiscuous mode for multiple firewall context


we want to monitor the outside interface on virtual firewalls using idsm in promiscuous mode.

can someone provide the sample config on what to be configured on 7600 chasis and idsm?

if there are 20 virtual firewalls, how to monitor the outside interface of these firewalls.

a step by step config will be much apprecaited. would like to use only one sensing interface of the IDSM module

if we are  using promiscuous mode should Global Correlation be enabled?

IDSM doesnt operate in failover mode like fwsm/ace on chasis, what is the best practice in this scenario

if idsm A of switch A goes down, how can we make idsm B from switch B to monitor the active fwsm outside interface on switch A



Re: idsm in promiscuous mode for multiple firewall context


you can configure the 7600 to span all 20 virtual firewall vlan interfaces and forward them to the IDSM. example:

monitor session 1 source vlan 200 - 220  (change this to reflect your vlan)

monitor  session 1 destination intrusion-detection-module 8 data-port 1 (assuming module is in slot 8 and using data port 1)

Then on the idsm itself, you set this up just like any other sensor. you assign the physical interface you used above to the virtual sensor and you can configure you signatures etc..

then i recommend configuring the sensor side using idm:

As for global correlation although it's usually used with inline mode, But it can also add benefit in promiscuous mode. for example you may see signatures that are normally informational get elevated to medium. And depending if you are using blocking or not it might drop the traffic.

As for failover. IDSM doesn't have a failover mode (like FWSMs). but there is no need for it when you are in promiscuous mode. just configure both blades the same way and monitoring the same vlans (which should already be trunked across the switches). This way the IDSM on which the switch is getting the traffic will act on the traffic.

Let me know if this answers your questions.


CreatePlease login to create content