Inline-vlan-pair vs vlan-groups

alhagiepuye · ‎09-06-2012

Hi Robert,

Would you be able to elaborate on scenarios where vlan-groups are needed instead of inline-vlan-pairs? There doesn't seem to be much documentation out there explaining this.

Thanks in advance

Julio Carvajal · ‎09-06-2012

Inline Vlan Pair:

You only need one interface of the IPS to connecto to a pair of Vlans ( the interface wil be a trunk link)

http://popravak.wordpress.com/2012/03/30/cisco-ips-scenario-three-inline-vlan-pairs/

Inline Vlan group:

You will be ablo to split a interface of the IPS into sub-logical interfaces, where each of them will be a specific vlan.

The good part of this is that you then will be able to assign each of the sub-logical interfaces to a different virtual sensor ( Different policies)

http://securiosity.blogspot.com/2011/01/cisco-ips-vlan-groups.html

Hope the little explanation and the links helps:)

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

alhagiepuye · ‎09-15-2012

Thanks for the response, Julio.

The reason why I ask is that I was able to create seperate VLAN pairs in the same or different physical interfaces and successfully assign each of them to different virtual sensors. That get me thinking.....when would VLAN groups be required instead of VLAN pairs. So, my question is very specific and was hoping that someone could shed some light on it.

It seems like the functions are very similar but I have a feeling that there are specific scenarios where one is required to use VLAN groups.

Thanks.