I have an issue with an 4255 IPS using an inline VLAN pair. Here's the rough sketch of the topology:
port 1 access vlan 10 - PC (10.20.30.2/24)
port 48 trunk to SW2 - all vlans allowed and forwarding
port 48 trunk to SW1 - all vlans allowed and forwarding
port 1 trunk allowed vlan 10,20 to IPS g0/1 configured in inline VLAN pair; assigned to sensor etc.
SVI vlan 20 for network 10.20.30.1/24 (up/up)
I'm unable to ping SVI from PC. Anyone have any suggestions? Running packet display on IPS interface I only see BPDUs hitting the interface. VTP is enabled but pruning is disabled. Both vlans exist on both switches.
I'm only seeing ARP requests from SVI on the IPS, but no replies coming from the remote switch.
Alternatively the PC is sending ARP requests to the SVI IP, but those aren't getting resolved, nor are they getting to the IPS interface.
So Topology is something like
IPS Inile vlan pair
The thing is that if you already allow the vlans on the trunk link then traffic will not get inspect by the IPS,
Do you see what I mean, you must force it to go to the IPS.
Let me know if I was clear enough
Yes the topology is
PC is on SW1 - vlan 10
SVI/Default gateway for PC is on SW2.- vlan 20
IPS is on SW2 - trunk vlans allowed 10,20
I thought since the VLANs must be bridged in order for PC to reach SVI, this would force IPS to pick up the traffic as nothing else would respond to the ARP request. Could you please explain this a little more? SW1 doesn't have any SVIs and is layer 2 only.
Am i supposed to only allow VLAN 10 over the trunk? Should VLAN 20 not exist on SW1?
I was trying to find a way to explain this to you when I found the following blog ..
Please read and if you have any questions let me now.. If not then you can mark it as answered
I've seen the tutorials where the devices are connected to the same switch, but what about adding another switch into the mix.
Is there any extra configuration required in order for PC to ping its default gateway (SVI on SW2) ?
Unfortunetly I cannot check that website from work.
If you add another switch into the mix you have to make sure traffic does not get routed trough the switch, it must go over the IPS first.
So basically configure the trunks to allow only the vlan necessarys and then the IPS supporting both of them so traffic must go over the Trunk link
Hope that I could help
I think what Yuri is saying that a packet from PC connected to switch 1 VLAN 10 should pass through IPS If IPS trunk allows VLANs 10 and 20 and PCs default gateway is VLAN20 SVI defined on SW2. But it does not.
Ok Bottom line just permit vlan 10 between the switch trunk to the other switch,
From the switch to the IPS trunk both vlan 10 and 20
Let me know how it goes