Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Using IDSM with FWSM in multiple context

Hi,

I would like to know whether it is possible to use IDSM across two distinct contexts in FWSM.

6 REPLIES

Re: Using IDSM with FWSM in multiple context

Yes you can.

In promiscous mode you tap the required traffic (All fwsm context Vlans) at Switch and copy that traffic to IDSM.

Syed

Community Member

Re: Using IDSM with FWSM in multiple context

Thanks Syed.

If I were to use inline mode, when there are distinct active contexts across two FWSMs; will it be possible.

Re: Using IDSM with FWSM in multiple context

Yes you can.

You can configure IDSM-2 in inline VLAN pair mode. IDSM-2 performs VLAN bridging between pairs of VLANs within the same data port operating as an 802.1q trunk.

IDSM-2 has two data ports (sensing ports).

You can configure IDSM-2 to simultaneously bridge up to 255 VLAN pairs on each data port.

So with two sensing ports you can have 2 x 255

inline vlan pairs.

(Obviously its not recommended to have so many vlan pairs. Remember that IDSM throughput is hardly 500Mbps and it can easily become a bottleneck in front of FWSM which has much higher throughput)

HTH

Syed

Community Member

Re: Using IDSM with FWSM in multiple context

Thanks.

Once more for clarity.

Lets say contextA is active on FWSM1 placed in Cat6500(1) and contextB is active on FWSM2 placed in Cat6500(2). IDSM(1) is installed on Cat6500(1) and IDSM(2) is installed on Cat6500(2).

Can both the active contexts on different FWSM be inspected by the IDSM simultaneously. Which IDSM shall inspect which FWSM. Is it 1 to 1 and 2 to 2.

Re: Using IDSM with FWSM in multiple context

Unlike FWSM/ACE where you could have one FWSM active & other standby, In IDSM there are no such states.

You will have to extend all FWSM & IDSM vlans over trunk between two switches and then configure STP (Spanning tree protocol)such taht it will make one path in forwarding mode and other in Blocking mode.

For example if context1 is active in SW1 & standby in SW2. Then STP will ensure that link b/w Active context1 (of SW1) & IDSM(of SW1) is in forwarding state & link between b/w stdby context1 (of SW2) & IDSM(of SW2) is in blocking state.

Syed

Community Member

Re: Using IDSM with FWSM in multiple context

Would you be able to provide a short example of extending FWSM/IDSM vlans over the trunk and configuring STP where different active contexts reside on both the FWSMs.

286
Views
14
Helpful
6
Replies
CreatePlease to create content