Backup L2 path to IPS running inline VLAN pair mode
I have an IPS running inline VLAN pair mode that bridges 2 x VLANs into 1 x L2 broadcast domain allowing servers in one VLAN and gateway in another to connect to each other while forcing traffic via the IPS for screening etc.. This operates over a trunk link so there is 4 pairs of VLANs in my case getting bridged by the IPS from one switch to another, with the IPS being in the middle and this works well.
I unfortunately was only given budget for one IPS at the moment and would like to introduce a backup L2 path that the traffic will failover to in the event the IPS for some reason can't bridge the VLANs. I was hoping that STP would handle this so when the IPS dropped out, using PVST the VLANs would transition to forwarding on the backup link.
The problem is without something bridging the VLAN pairs, i can't find any elegant solution to this problem and was wondering if anyone had any ideas?
Since the gateway lives in VLAN 10 say and the server in VLAN 110, if the IPS goes offline then without manually changing the VLAN the server is in to be the same as the gateway I'm not sure if a way to make this automagic.
I thought of using the 'VLAN translation' feature on our 6513 to rewrite the VLAN tag of frames on both ingress/egress of the secondary trunk link but when i tested the config it didn't seem to work.
If anyone has any ideas on how to make this work i'd love to hear.
This is a problem with the way Cisco does VLAN pairs. Changing the VLAN number makes it impossible to eaily fail around a downed sensor.
Fortunately the Cisco Sensors will happily ignore VLAN tags around traffic. If you make your switch interfaces trunks, and put your sensor into interface pair mode, you can pass a VLAN trunk thru your sensor without the sensor changing the VLAN numbers. Then you can run a second trunk between your switches, give the VLANS within it a higher STP cost and use that cable as failover.
Site to Site IPSec VPN with Dynamic IP Endpoint is typically used when we have a branch sites which obtains a dynamic public IP from the Internet ISP. For example an ADSL connection.One important note is that Site-to-Site VPN with Dynamic remote routers P...
On R1, configure a key ring that defines the peer R3:Address: 184.108.40.206Local and remote pre-shared key: cisco R1(config)#crypto ikev2 keyring KRR1(config-ikev2-keyring)# peer R3R1(config-ikev2-keyring-peer)# address 220.127.116.11R1(config-ikev2-keyring-pee...
This document shows how to use the Port Radius NAS PORT Id Attribute in a compound condition to control access with 802.1X.A user jdoe is allowed to access the network only through the physical port FastEthernet 0/1 of the switch and the user jwhite is al...
This document provides a configuration example of Security Assertion Markup Language (SAML) Authentication on FTD managed over FDM. The configuration allows Anyconnect users to establish a VPN session authenticating with a SAML Identity Serv...
DMVPN Dual Hub Dual Cloud Pros and ConsProsNo single point of failureQuick failover if routing protocols are tunedLoad balancing is easyTraffic engineering is easyEasy to work with multiple ISPsConsNeed 2 tunnels per spokeConfiguration is more complicated...