Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1079
Views
0
Helpful
1
Replies

Backup L2 path to IPS running inline VLAN pair mode

scottmcgillivray
Beginner
Beginner

‎08-03-2011 01:46 AM - edited ‎03-10-2019 05:26 AM

Hi,

I have an IPS running inline VLAN pair mode that bridges 2 x VLANs into 1 x L2 broadcast domain allowing servers in one VLAN and gateway in another to connect to each other while forcing traffic via the IPS for screening etc.. This operates over a trunk link so there is 4 pairs of VLANs in my case getting bridged by the IPS from one switch to another, with the IPS being in the middle and this works well.

I unfortunately was only given budget for one IPS at the moment and would like to introduce a backup L2 path that the traffic will failover to in the event the IPS for some reason can't bridge the VLANs. I was hoping that STP would handle this so when the IPS dropped out, using PVST the VLANs would transition to forwarding on the backup link.

The problem is without something bridging the VLAN pairs, i can't find any elegant solution to this problem and was wondering if anyone had any ideas?

Since the gateway lives in VLAN 10 say and the server in VLAN 110, if the IPS goes offline then without manually changing the VLAN the server is in to be the same as the gateway I'm not sure if a way to make this automagic.

I thought of using the 'VLAN translation' feature on  our 6513 to rewrite the VLAN tag of frames on both ingress/egress of the  secondary trunk link but when i tested the config it didn't seem to  work.

If anyone has any ideas on how to make this work i'd love to hear.

thanks

Scott

Labels:
0 Helpful
1 Reply 1

rhermes
Rising star
Rising star

‎08-03-2011 07:57 AM

Scott -

This is a problem with the way Cisco does VLAN pairs. Changing the VLAN number makes it impossible to eaily fail around a downed sensor.

Fortunately the Cisco Sensors will happily ignore VLAN tags around traffic. If you make your switch interfaces trunks, and put your sensor into interface pair mode, you can pass a VLAN trunk thru your sensor without the sensor changing the VLAN numbers. Then you can run a second trunk between your switches, give the VLANS within it a higher STP cost and use that cable as failover.

- Bob

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents