Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
351
Views
0
Helpful
4
Replies

CSPM 3.0

wongks
Level 1
Level 1

‎06-05-2002 09:19 AM - edited ‎03-08-2019 10:51 PM

Hi,

Currently I am also configuring a CSPM 3.0 to monitor my PIX firewall and

routers. If my routers and PIX are running HSRP and failover.

How should I configure my CSPM 3.0?

For your advice.

Thank you.

Labels:
0 Helpful
4 Replies 4

yusuff
Cisco Employee
Cisco Employee

‎06-05-2002 09:06 PM

Please see the following information with relation to the configuration of CSPM for HSRP...

CSPM does not actually support HSRP, however, there is a way around this.

Modeling Requirement for CSPM with HSRP:

The challenge for CSPM is:

1. Both routers are managed, that their real physical addresses should be selected for control;

2. HSRP address should be used for route calculation in CSPM (on top of its interfaces list), e.g. a PIX needs to point to it as the default gateway.

#This two requirements make using a cloud not feasible.

Modeling HSRP in CSPM with Interface Address overloading:

It is simply to overload the routers interface with their real and HSRP addresses.

The HSRP address needs to be before the physical address, thus it is used as the routing gateway address by others.

Select the physical address for management by CSPM.

Step by step to configure CSPM with HSRP:

1. create one interface on IOS1 (first router) with HSRP address (this interface could be create anytime, but it needs to be on top of all interfaces of this IOS device so this HSRP address will be used for routing calculation).

2. create one interface on IOS1 with physical address, select this interface for management by CSPM.

3. repeat step 1 and 2 on IOS2 (second router).

HTH

R/Yusuf

0 Helpful

wongks
Level 1
Level 1
In response to yusuff

‎06-07-2002 10:44 PM

Hi,

Thanks for your reply.

I am thinking that if the HSRP interface is created, will be the ip address and the subnet mask overlaps the ones with the physical interface?

For your enlightenment, pls. Thank you.

Regards,

Andrew

0 Helpful

yusuff
Cisco Employee
Cisco Employee
In response to wongks

‎06-08-2002 07:16 PM

You do not need to configure seperate interface with the physical ip address and another seperate interface with the HSRP IP. This is wrong. The workaround for getting CSPM to work with a HSRP router is the following :

Note : HSRP on router should be configured first. <------

To make sure correct routes are generated by CSPM follow this, do this in the CSPM application :

1. create interface on IOS1 (first router)

2. add HSRP IP address (this IP address could be created anytime, but it needs to be on top of all IP addresses of this interface so this HSRP address will be used for routing calculation).

3. on the same interface add physical address and select this address for management by CSPM

4. repeat steps 1-3 on IOS2 (second router)

As i mentioned in step 3, ON THE SAME INTERFACE, add physical IP address and select this for management. This way, you will be able to have 2 IPs on same interface, one hsrp and another physical.

Hope that clarifies.

R/Yusuf

0 Helpful

wongks
Level 1
Level 1
In response to yusuff

‎06-12-2002 01:15 PM

Hi,

Quite new to CSPM 3.0...

Will give it a try and let you know.

Thanks.

Regards,

Andrew

0 Helpful
Customers Also Viewed These Support Documents