10-01-2018 11:18 AM - edited 02-21-2020 08:18 AM
As I read the snort-ips.pdf and other related sites online...
When configuring the Virtual Port Groups, VPG 0 is supposed to be the Management Interface. the VPG 1 is supposed to be the Data Traffic interface. The VPG 0 is routable on the network, VPG 1 is NOT routable.
I configured mine as such. But, when I try to get a signature update from my local server, it is the VPG1 IP address that I see hitting my firewall. Therefore, I have to make the VPG 1 subnet routable - not what the instructions say to do. The signature update is successful when I do this.
How could I have the configuration incorrect?
Or, are the Cisco descriptions and notes incorrect?
10-03-2018 08:14 AM
I've deployed another router and discovered it is acting as it should using Cisco's documentation, getting updates from the VPG 0.
I did notice something unique with my first router.
In the sh run, it's listed like this:
virtual-service UTDIPS
profile low
vnic gateway VirtualPortGroup1
guest ip address 10.40.8.2
vnic gateway VirtualPortGroup0
guest ip address 192.0.2.2
activate
Where my second and other routers have the VPG 0 listed first and VPG 1 listed second.
Is it possible there is a bug in the virtual service where it uses the first VPG in the list and not the actual VPG 0?
As a side note, I guess I will need to remove / delete the virtual service and recreate it to fix my issue?
10-31-2018 03:25 AM
Dear all, recently I had the same problem and even opened TAC ticket.
They said,
===
Hello,
As we agreed I reached our Developers regarding our question. They confirmed that order of operations matters and first VPG will be used for management and second for traffic.
===
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: