[c-nsp] traffic flow in 6500 switch with FWSM and IDSM
Fred Reimer
freimer at ctiusa.com
Wed Nov 7 08:30:08 EST 2007
There are many ways that you can configure the 6500 with a FWSM
and IDSM. It depends on what you want to do with it. You can
place the MSFC (routing entity) inside or outside of the FWSM. I
prefer inside unless there is a really good reason to have it
outside (such as routing sessions to providers, etc) as you don't
need to secure it quite as much as when it is on a publically
accessible address. You could also use VRF on the MSFC and have
one instance on the outside and one on the inside (or a bunch of
instances and one on each DMZ interface of the FWSM also). For
the IDSM you also have an option of in-line mode or not. You
want in-line mode if you want IPS functionality, and promiscuous
mode if you want IDS functionality. Again, you can place the
IDSM inside or outside the FWSM, but it really makes sense to
drop malicious traffic before it even reaches your FW. Perhaps
have it look like Internet -- IDSM -- MSFC -- FWSM -- MSFC -
inside networks. You really need to talk to, or hire, a security
specialist.
Fred Reimer, CISSP, CCNP
Senior Network Engineer
Coleman Technologies, Inc.
954-298-1697
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Vikas
Sharma
Sent: Wednesday, November 07, 2007 3:14 AM
To: cisco-nsp at puck.nether.net; Oliver Boehmer (oboehmer)
Subject: [c-nsp] traffic flow in 6500 switch with FWSM and IDSM
Hi,
I have FWSM and IDSN-2 on 6500 switch. Since I am not a security
guy I am
not able to visualize how traffic flow will take place in this
situation. My
requirement is to secure internal traffic from external / DMZ
traffic and
inspect malicious traffic. Can someone give me the logical
picture how
packet will flow inside 6500 switch? whether it will first go to
FWSM then
to MSFC or first to MSFC then firewall? I have vlan (SVIs)
created on msfc
and these ips are default gateway for my internal traffic.
Any help is appreciated...
Regards
Vikas Sharma
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5188 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20071107/fd23e61e/attachment.bin
More information about the cisco-nsp
mailing list