https://community.cisco.com/t5/network-security/vlan-pairs-bypass-or-failover/m-p/1454890#M67276 <HTML><HEAD></HEAD><BODY><P>The sensor knows the vlan tags, so he will change the vlan tags when bridging the vlans.</P><P>I hope it makes sense.</P><P></P><P>PK</P></BODY></HTML> Tue, 08 Jun 2010 23:58:07 GMT Panos Kampanakis 2010-06-08T23:58:07Z https://community.cisco.com/t5/network-security/vlan-pairs-bypass-or-failover/m-p/1454885#M67271 <P>Hello Experts,</P><P></P><P></P><P>I´m implementing INLINE VLAN PAIRS in two 4260 and a 4270.</P><P></P><P>I know that the BYPASS is a software failover. But what is going to happen if the hardware fails???? </P><P></P><P></P><P>Who is going to do the VLAN re-tagging???</P><P></P><P>What is going to happen with that traffic?</P><P></P><P></P><P>Is there are way to configure the switch to re-direct the traffic if the IPS is DOWN. of a way to do the re-tag in the switch?</P><P></P><P>I would really appreciate your comments and suggestions.</P> Sun, 10 Mar 2019 12:01:12 GMT https://community.cisco.com/t5/network-security/vlan-pairs-bypass-or-failover/m-p/1454885#M67271 Diego Armando Cambronero Arias 2019-03-10T12:01:12Z https://community.cisco.com/t5/network-security/vlan-pairs-bypass-or-failover/m-p/1454886#M67272 <HTML><HEAD></HEAD><BODY><P>You need to perform the failopen function outside the IPS sensor.</P><P>Use an external (to the sensor) switch, create two VLANS, connect them together via the sensor (each VALN to sensor connection is a Trunk with one one VLAN in it). Then create a second connection via a patch cable betwen the two VLANS, give it a higher STP metric, enable Spanning tree on these 4 ports. The bypass cable will only run traffic if the sensor stops passing BPDUs.</P><P></P><P>- Bob</P></BODY></HTML> Mon, 07 Jun 2010 17:00:28 GMT https://community.cisco.com/t5/network-security/vlan-pairs-bypass-or-failover/m-p/1454886#M67272 rhermes 2010-06-07T17:00:28Z https://community.cisco.com/t5/network-security/vlan-pairs-bypass-or-failover/m-p/1454887#M67273 <HTML><HEAD></HEAD><BODY><P>Hi rhermes,</P><P></P><P></P><P>I understood the STP part but not the connections part. I´m using only 1 interface to do the VLAN PAIR, the retag is being done in an interface.(and 1 interface in the switch). where should I connect the 4 ports.</P><P></P><P>Thank you for your time.</P></BODY></HTML> Mon, 07 Jun 2010 17:28:36 GMT https://community.cisco.com/t5/network-security/vlan-pairs-bypass-or-failover/m-p/1454887#M67273 Diego Armando Cambronero Arias 2010-06-07T17:28:36Z https://community.cisco.com/t5/network-security/vlan-pairs-bypass-or-failover/m-p/1454888#M67274 <HTML><HEAD></HEAD><BODY><P>If you're only using one interface on the sensor, then you only need three switch ports; one trunking both VLANS to the sensor and one port in each VLAN as a regular (non-trunked) access port connected together via a patch cable.</P><P></P><P>- Bob</P></BODY></HTML> Mon, 07 Jun 2010 18:31:16 GMT https://community.cisco.com/t5/network-security/vlan-pairs-bypass-or-failover/m-p/1454888#M67274 rhermes 2010-06-07T18:31:16Z https://community.cisco.com/t5/network-security/vlan-pairs-bypass-or-failover/m-p/1454889#M67275 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>last question. Who is going to make the vlan re-tagging? will VLAN 1 be able to talk to VLAN2 ?</P></BODY></HTML> Tue, 08 Jun 2010 17:57:11 GMT https://community.cisco.com/t5/network-security/vlan-pairs-bypass-or-failover/m-p/1454889#M67275 Diego Armando Cambronero Arias 2010-06-08T17:57:11Z https://community.cisco.com/t5/network-security/vlan-pairs-bypass-or-failover/m-p/1454890#M67276 <HTML><HEAD></HEAD><BODY><P>The sensor knows the vlan tags, so he will change the vlan tags when bridging the vlans.</P><P>I hope it makes sense.</P><P></P><P>PK</P></BODY></HTML> Tue, 08 Jun 2010 23:58:07 GMT https://community.cisco.com/t5/network-security/vlan-pairs-bypass-or-failover/m-p/1454890#M67276 Panos Kampanakis 2010-06-08T23:58:07Z https://community.cisco.com/t5/network-security/vlan-pairs-bypass-or-failover/m-p/1454891#M67277 <HTML><HEAD></HEAD><BODY><P>When traffic flow through the IPS Sensor, the VLAN pair in the sensor will re-tag the traffic on the trunk port..</P><P>When the sensor stops passing layer 2 frames, Spanning trree Protocol will unblock the failover cable port and allow traffic to pass between VLAN 1 and VLAN2 untaged (these poerts are not trunks).</P><P></P><P>- Bob</P></BODY></HTML> Wed, 09 Jun 2010 05:17:28 GMT https://community.cisco.com/t5/network-security/vlan-pairs-bypass-or-failover/m-p/1454891#M67277 rhermes 2010-06-09T05:17:28Z