I have read the IPS config guide but am still a little unsure if what i'm trying to do will work. I have one 4255 sensor and all 4 of the Gigabit ports are connected to a switch. I have attached a quick diagram to show roughly what i'm trying to do.
Rather than using inline vlan pairs on-a-stick style, passing all traffic up and down just one cable i thought i could setup a Inline interface pair and have it so on one of cables trunk the ingress vlans and on the other have the egress vlans i guess you could call them. So in the same way that the manual says the inline vlan pair mode works but rather than hairpinning on one cable have traffic come in on one and out on the other.
With this setup i can't see that there is any config needed on the IPS to make it work? Just setup the switch ports to trunk the correct vlans to the relevant link in the interface pair?
As you can see in the diagram, to use all 4 cables i'd have two inline interface pairs configured with the same vlans so i am thinking that spanning tree would block on the other pairing ?
thanks for reading
In inline interface pair mode, a packet comes in through the first interface of the pair on the sensor and out the second interface of the pair.
There is no notion of Vlan on the IPS itself. In inline interface pair say AB, whatever traffic in whichever vlan comes in on IPS interface A simply goes out of IPS interface B.
If the paired interfaces are connected to the same switch, you should configure them on the switch as access ports with different access VLANs for the two ports. Otherwise, traffic does not flow through the inline interface.
Cisco TAC - Security Team
ok many thanks,
I've configured the switch ports as access ports but unfortunately it won't work and i'm not sure if it can work. The problem is on one of the VLANs i have configured a SVI which confuses the switch in that it doesn't know where to route traffic.
So if in my example i have vlan 40 configured on one of the access ports/inline interface and vlan 440 configured on the other port of the interface pair and on the switch i configured a SVI for vlan 440 with an IP in the same subnet as a device in VLAN 40... i'd like it so any traffic routed via the SVI on vlan 440 goes via the IPS and out the VLAN 40 inline interface.
So currently i have SwitchA with a vlan 40 configured with a SVI IP 10.64.9.121/29. This is the main gateway for vlan 40. I then have a trunk going to the switch in my original diagram which has vlan 40 configured and set up on the inline interface as stated above. I then have vlan 440 configured and has a SVI with IP 10.64.9.124/29. So both SVI's are in the same L3 network but differnt L2 domains so they will pass trough the IPS.
The problem is that because the switch is configured with the SVI it's routing table points all traffic for the 10.64.9.120/29 subnet out the vlan 440 interface. I did run 'packet display' on the IPS and i could see some ARP whois messages but the pings failed. I 'm guessing this is because the switch never send the traffic over the trunk to the other switch.
hopefully that makes some sense. Can anyone suggest how i can make this work ?
[update] Just a thought.. the SVI i configured on vlan 440 was 10.64.9.124 with a /29 subnet which is why the switch tries to route all traffic via the vlan440 interface. Maybe if i make the SVI on vlan 440 10.64.9.124/32 instead it would work as expected?
Looks like you have 2 vlans both having SVI's.
In that case switch does intervlan routing directly and packet forwarding is done internal to the switch.
No traffic will ever pass through the ports connected the IPS.
Is there a specific reason why you wish to connect the two ports on IPS on same switch.
If you wish you do this, you will need a method to force the traffic to out of the interface connected to the IPS.
For that, you need 2 Vlans sharing one common ip subnet.
One vlan has SVI and that SVI is default gateway for both vlans.
Please check: https://supportforums.cisco.com/docs/DOC-12206
This is for IDSM in inline mode, but the principle remains the same.
thanks for the info, using that IDSM article as a reference when you move the GW for Vlan 100 into the new vlan 300 so traffic is routed via the IPS.. should client A be able to ping the GW and vice versa?
I have setup things as per the article and doing 'packet display' on the IPS i can see arp-who is messages going over the inline pair links but the vlan 300 SVI never seems to get the arp or at least doesn't seem to reply to the ping.
I tried also pinging the client A from the switch using the vlan 300 SVI as the source which i expected to arp for the IP by going up the vlan 300 link, through the IPS and down the VLAN 100 link but that fails also.
do you think this should work ?