https://community.cisco.com/t5/network-security/ips-4240-inline-pair/m-p/1092190#M78472 <HTML><HEAD></HEAD><BODY><P>thanks for your very useful info. </P><P>I just found that I can simply connect IPS between ASA and switch and configure inline physical pair without to define vlan pair. in this situation, IPS inspect all traffic and ports in IPS act like trunk and it doesn't care about vlan ID. </P><P>am I right? I hope I am. </P><P>thanks </P><P>Alex</P><P></P></BODY></HTML> Tue, 04 Nov 2008 06:15:46 GMT alex goshtaei 2008-11-04T06:15:46Z https://community.cisco.com/t5/network-security/ips-4240-inline-pair/m-p/1092185#M78456 <P>Hi All, </P><P>Can I use inline pair in IPS as trunk? The IPS is connected to ASA in one end and connected to switch to another end. I'd like to use inline pair but I am not sure if it can pass all vlan traffic. </P><P>thanks </P><P>Alex</P><P></P> Sun, 10 Mar 2019 11:21:22 GMT https://community.cisco.com/t5/network-security/ips-4240-inline-pair/m-p/1092185#M78456 alex goshtaei 2019-03-10T11:21:22Z https://community.cisco.com/t5/network-security/ips-4240-inline-pair/m-p/1092186#M78462 <HTML><HEAD></HEAD><BODY><P>yes, they're called in-line vlan pairs.</P></BODY></HTML> Mon, 03 Nov 2008 16:29:49 GMT https://community.cisco.com/t5/network-security/ips-4240-inline-pair/m-p/1092186#M78462 rhermes 2008-11-03T16:29:49Z https://community.cisco.com/t5/network-security/ips-4240-inline-pair/m-p/1092187#M78463 <HTML><HEAD></HEAD><BODY><P>Thanks rhermes, </P><P>but in one end, there is ASA with eight subinterface with eight vlans, and the other end is the switch with trunk port. </P><P>In IPS, if I configure inline vlan pair, it is only allow me to bridge two vlan not eight vlan. </P><P>if you have any design suggestion how to connect IPS between ASA and switch with 8 vlan, that would be very appreciated. </P><P>thanks </P><P>Alex</P><P></P></BODY></HTML> Mon, 03 Nov 2008 16:43:53 GMT https://community.cisco.com/t5/network-security/ips-4240-inline-pair/m-p/1092187#M78463 alex goshtaei 2008-11-03T16:43:53Z https://community.cisco.com/t5/network-security/ips-4240-inline-pair/m-p/1092188#M78467 <HTML><HEAD></HEAD><BODY><P>The in-line mode of the IPS sensors allows you to specify multiple in-line VLAN pairs.</P></BODY></HTML> Mon, 03 Nov 2008 18:46:45 GMT https://community.cisco.com/t5/network-security/ips-4240-inline-pair/m-p/1092188#M78467 rhermes 2008-11-03T18:46:45Z https://community.cisco.com/t5/network-security/ips-4240-inline-pair/m-p/1092189#M78470 <HTML><HEAD></HEAD><BODY><P>I would suggest to use atleast 2 physical interface on the IPS device for the 8 vlans you have.</P><P></P><P>In inline VLAN pair, the IPS interface is doing the VLAN translation.</P><P>So, only allow the specific vlans on the trunk port, something like this:-</P><P></P><P>int f0/20</P><P>switchport trunk encapsulation dot1</P><P>switchport mode trunk </P><P>switchport trunk allowed vlan 11,12,13,14</P><P></P><P></P><P>int f0/21</P><P>switchport trunk encapsulation dot1</P><P>switchport mode trunk </P><P>switchport trunk allowed vlan 111,112,113,114</P><P></P><P></P><P>connect f0/10 and f0/20 to different interfaces on the IPS.</P><P>On the IPS, create vlan pairs, for vlan 11,12,13,14 and vlans 111,112,113,114.</P><P></P><P>Hope this helps</P></BODY></HTML> Tue, 04 Nov 2008 05:49:13 GMT https://community.cisco.com/t5/network-security/ips-4240-inline-pair/m-p/1092189#M78470 dhananjoy chowdhury 2008-11-04T05:49:13Z https://community.cisco.com/t5/network-security/ips-4240-inline-pair/m-p/1092190#M78472 <HTML><HEAD></HEAD><BODY><P>thanks for your very useful info. </P><P>I just found that I can simply connect IPS between ASA and switch and configure inline physical pair without to define vlan pair. in this situation, IPS inspect all traffic and ports in IPS act like trunk and it doesn't care about vlan ID. </P><P>am I right? I hope I am. </P><P>thanks </P><P>Alex</P><P></P></BODY></HTML> Tue, 04 Nov 2008 06:15:46 GMT https://community.cisco.com/t5/network-security/ips-4240-inline-pair/m-p/1092190#M78472 alex goshtaei 2008-11-04T06:15:46Z https://community.cisco.com/t5/network-security/ips-4240-inline-pair/m-p/1092191#M78476 <HTML><HEAD></HEAD><BODY><P>yes you are right, if its inline physical interface pair, then you don't have to care about the vlans.</P></BODY></HTML> Tue, 04 Nov 2008 09:22:01 GMT https://community.cisco.com/t5/network-security/ips-4240-inline-pair/m-p/1092191#M78476 dhananjoy chowdhury 2008-11-04T09:22:01Z