Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3770
Views
0
Helpful
6
Replies

IPS Inline vlan pair

Go to solution
adamgibs7
Level 6
Level 6

‎02-09-2011 01:19 PM - edited ‎03-10-2019 05:15 AM

Hello,

I wanna configure the IPS inline vlan pair for DMZ zone, I have been through the user guide for IPS 7.0 topic inline vlan pair, Also i have seen the inline vlan pair configuration example,but it is not clear to me

Please have a look at the attached and pls explain me the traffic flow,from server going to internet if we create a vlan pair.

Every Server default gateway is ASA firewall DMZ interface.

Thanks

Labels:
Preview file
181 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5
In response to adamgibs7

‎02-10-2011 07:42 AM

you are correct.

The traffic will flow just like that. All the servers will be on VLAN 2 of the switch and the ASA on VLAN 3 all of them connected to the same switch. The IPS will also be connected to that same switch. One interface of the IPS will be connected to a trunk port on that switch having the two vlan allowed on the trunk and the VLAN pair configured on the IPS.

You are correct.

BTW. I saw yesterday somebody on a study group asking the same thing as you.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5

‎02-09-2011 03:56 PM

as you have the topology you don't need vlan pairs. Do you have two free interfaces on your IPS? If so, just connect on IPS interface to the same VLAN of the servers and the other IPS interface to the inside interface of the ASA.

Then on the configuration of the IPS you need to create an interface pair with the two interface you used to connect the ASA and the switch.

Let me know if this is clear.

0 Helpful

Go to solution
adamgibs7
Level 6
Level 6
In response to PAUL GILBERT ARIAS

‎02-09-2011 09:53 PM

Hello Paul,

I want to go with Inline vlan pair,i don't want to go with interface pairing,as this is request by customer,how i can do it,as i m having a IPS-4240 with 4 gig ports,

I have a doubt that if we create a vlan pair then in each pair 1 be a real vlan and the other should be dummy vlan ????  ( for example vlan 2 and vlan 3 in which vlan 3 is the dummy vlan). Please suggest

If i have a 10 vlan than i will configure the 10 pair of vlan on gig0/0 with real and dummy vlan, but what vlan pair i shld configure on gig0/1 i.e (exit interface to ASA DMZ interface.)

Thanks

Message was edited by: adamgibs7

0 Helpful

Go to solution
Bastien Migette
Cisco Employee
Cisco Employee
In response to adamgibs7

‎02-10-2011 05:40 AM

Hello Adam,

As paul said, you need two vlans. These two vlans will be at the end the same subnet, but this allow to logically set the IPS inline.

You can define only 2 vlan per vlan-pair. Another option is to use vlan groups. on an interface pair, you can create vlan groups, and in this case you can configure a range of vlan on the subinterface.

Basically, you pass a trunk through your IPS, and you map vlan ranges to subinterface, and add these subinterface in your virtual sensors, but that need 2 physical interfaces.

0 Helpful

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5

‎02-10-2011 04:34 AM

Hi. You will to Need two vlans on the swith. One vlan where all your servers are located and the other vlan will be for your ASA. Then you will need to configure a trunk port allowing only those two vlans. On that trunk port you will connect only one gig port of the IPS. On the IPS you will need to configure an inline vlan pair for that specific gig port including the two vlan IDs that you created on the switch. Is this what you need?

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
adamgibs7
Level 6
Level 6
In response to PAUL GILBERT ARIAS

‎02-10-2011 06:59 AM

Hello, Paul,

  • I have to connect ASA to DMZ-Switch directly not to the IPS gig0/1 .
  • Inline vlan pairing vlan 2 and vlan 3 on gig0/0
  • Servers in vlan 2 and ASA connecting to switch port should be in vlan 3
  • Traffic flow will be from servers vlan 2 ----> IPS gig0/0 vlan mapping vlan 2 and vlan 3--------> vlan 3 on switch--------DMZ interface on ASA.

Paul m i correct on above steps pls suggest.

Thanks

0 Helpful

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5
In response to adamgibs7

‎02-10-2011 07:42 AM

you are correct.

The traffic will flow just like that. All the servers will be on VLAN 2 of the switch and the ASA on VLAN 3 all of them connected to the same switch. The IPS will also be connected to that same switch. One interface of the IPS will be connected to a trunk port on that switch having the two vlan allowed on the trunk and the VLAN pair configured on the IPS.

You are correct.

BTW. I saw yesterday somebody on a study group asking the same thing as you.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card