Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

IDSM placement and redundancy question

Hi, Does the IDSM-2 support any sort of redundancy protocol?

I can't see anything in the config guide.

If I wanted to place a redundant pair on the outside of a pair of firewalls, how would I manage the redundancy of them.

My other question is, is it better to place the IDSM on the outside of external facing firewalls or on the inside?

Many Thanks, Dom

1 ACCEPTED SOLUTION

Accepted Solutions

Re: IDSM placement and redundancy question

Please see the attached file for some design guidelines.

Regards

Farrukh

6 REPLIES

Re: IDSM placement and redundancy question

The IDSM-2 supportes redundancy through the etherchannel protocol. I can send you a sample config if you want.

IPS systems are generally placed behind firewalls because they have more throughput challenges than firewalls and by virtue of being behind the firewall they have to filter/scan less traffic.

Regards

Farrukh

New Member

Re: IDSM placement and redundancy question

Yeah that'd be great if you could.

Many Thanks in advance

Dom

Re: IDSM placement and redundancy question

These are two IDSM-2s connected to slot four and give of the same chassis. We are running FWSM >> MSFC OUTSIDE setup. All InterVLAN traffic is evaluated first by the IDSM than by the FWSM. Users default gateway is the FWSM.

Here you go:

intrusion-detection module 4 management-port access-vlan 100

intrusion-detection module 5 management-port access-vlan 100

intrusion-detection module 4 data-port 1 channel-group 5

intrusion-detection module 4 data-port 2 channel-group 6

intrusion-detection module 5 data-port 1 channel-group 5

intrusion-detection module 5 data-port 2 channel-group 6

intrusion-detection port-channel 5 trunk allowed-vlan 200-204,208

intrusion-detection port-channel 5 trunk allowed-vlan 708

intrusion-detection port-channel 5 autostate include

intrusion-detection port-channel 5 portfast enable

intrusion-detection port-channel 6 trunk allowed-vlan 260,280,400,401

intrusion-detection port-channel 6 trunk allowed-vlan 111-114

intrusion-detection port-channel 6 autostate include

intrusion-detection port-channel 6 portfast enable

Regards

Farrukh

New Member

Re: IDSM placement and redundancy question

Thanks for your response Farrukh, I don't think I was clear enough in my original post. I meant chassis to chassis redundancy.

My client insists on putting the IDSMs on the outside of the firewall, in front of a pair of FWSMs (in seperate chassis).

Maybe there isn't a need for a HA relationship between the IDSMs as the active FWSM will ensure that the traffic flows through one of the IDSMs and no the other?

Cheers, Dom

Re: IDSM placement and redundancy question

Please see the attached file for some design guidelines.

Regards

Farrukh

New Member

Re: IDSM placement and redundancy question

Many thanks Farrukh, That's very useful :)

433
Views
0
Helpful
6
Replies
CreatePlease to create content