cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1925
Views
0
Helpful
7
Replies

Issue - Inline VLAN pair IPS

yuriy-sokhan
Level 1
Level 1

Hello everyone,

I have an issue with an 4255 IPS using an inline VLAN pair. Here's the rough sketch of the topology:

SW1

port 1 access vlan 10 - PC (10.20.30.2/24)

port 48 trunk to SW2 - all vlans allowed and forwarding

SW2

port 48 trunk to SW1 - all vlans allowed and forwarding

port 1 trunk allowed vlan 10,20 to IPS g0/1 configured in inline VLAN pair; assigned to sensor etc.

SVI vlan 20 for network 10.20.30.1/24 (up/up)

I'm unable to ping SVI from PC. Anyone have any suggestions? Running packet display on IPS interface I only see BPDUs hitting the interface. VTP is enabled but pruning is disabled. Both vlans exist on both switches.

I'm only seeing ARP requests from SVI on the IPS, but no replies coming from the remote switch.

Alternatively the PC is sending ARP requests to the SVI IP, but those aren't getting resolved, nor are they getting to the IPS interface.

7 Replies 7

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Yuriy

So Topology is something like

PC-----ACCESSPORT----SW1----TRUNK----SWITCH2

                                                                 |

                                                                 |

                                                               IPS Inile vlan pair

The thing is that if you already allow the vlans on the trunk link then traffic will not get inspect by the IPS,

Do you see what I mean, you must force it to go to the IPS.

Let me know if I was clear enough

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Yes the topology is

PC-----ACCESSPORT----SW1----TRUNK----SW2

PC is on SW1 - vlan 10

SVI/Default gateway for PC is on SW2.- vlan 20

IPS is on SW2 - trunk vlans allowed 10,20

I thought since the VLANs must be bridged in order for PC to reach SVI, this would force IPS to pick up the traffic as nothing else would respond to the ARP request. Could you please explain this a little more? SW1 doesn't have any SVIs and is layer 2 only.

Am i supposed to only allow VLAN 10 over the trunk? Should VLAN 20 not exist on SW1?

Hello,

I was trying to find a way to explain this to you when I found the following blog ..

Please read and if you have any questions let me now.. If not then you can mark it as answered

http://fengnet.com/book/CCIE.Professional.Development.Series.Network.Security.Technologies.and.Solutions/final/ch20lev1sec14.html

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I've seen the tutorials where the devices are connected to the same switch, but what about adding another switch into the mix.

Diagram:

http://imgur.com/idZuVdL

Is there any extra configuration required in order for PC to ping its default gateway (SVI on SW2) ?

Hello,

Unfortunetly I cannot check that website from work.

If you add another switch into the mix you have to make sure traffic does not get routed trough the switch, it must go over the IPS first.

So basically configure the trunks to allow only the vlan necessarys and then the IPS supporting both of them so traffic must  go over the Trunk link

Hope that I could help

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I think what Yuri is saying that a packet from PC connected to switch 1 VLAN 10 should pass through IPS If IPS trunk allows VLANs 10 and 20 and PCs default gateway is VLAN20 SVI defined on SW2. But it does not.

Hello,

Ok Bottom line just permit vlan 10 between the switch trunk to the other switch,

From the switch to the IPS trunk both vlan 10 and 20

Let me know how it goes

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card