08-27-2011 01:29 PM - edited 03-11-2019 02:17 PM
Hi All,
I am working on a design which requires me to connect an HP tippingpoint IPS device behind a FWSM context. So, inline with the inside interface of the FWSM.
I'm new to tippingpoint, and HP's site is the absolute pits for design and operation information..loads of broken links...no informaton at all. So sorry if I am about to ask some daft questions.
I have the cat6ks connected to each other at layer 3 (point to point routed etherchannel). I also have a 3750+swise switchpair between them which i am using to breakout and extend my FWSM vlans between the cores. The 3750 uplinks are connected to the sup ports so i'm relaxed about vlan integrity.
What i'm strugling with is how do i physically connect the TP IPS inline on the inside FWSM vlan. I have a couple of ports on the 3750 in the right vlan, but If i just plug the IPS into them, will I not end up with a STP loop and a shut port ?
Could I use a pair of vlans to do this ?
i.e. get the IPS to bridge the vlans (why does this not cause STP loops? )
SWITCH A- .....FWSM inside i/f-(IP 10.1.1.1)--> vlan 100 ----->IPS---->Vlan 200--->SVI (IP 10.1.1.3)
^ ^
| |
v v
SWITCH B-...... FWSM inside i/f (IP 10.1.1.2--> vlan 100------>IPS---->Vlan 200--->SVI (IP 10.1.1.4)
and as I have a pair of switches, I would need to do the same thing on the other switch, will I get a STP loop through the IPS attached to switch B ?
Any help would be great.
Cheers
Shaun
Solved! Go to Solution.
08-27-2011 03:36 PM
Shaun
If you want to connect any device in transparent/bridged mode then you do indeed use 2 vlans for the same IP subnet. The device then in effect "joins" the 2 vlans together.
The reason it is done is as you say to stop an STP loop. If you used the same vlan on both sides this would be a loop ie. imagine a switch with one vlan and you connect both sides (interfaces) of the TP (Tipping Point) to the switch.That means a packet leaves the switch to the TP and the same packet then comes back, on the same vlan back to the switch after goiing through the TP device. So the switch would have to block one of the ports which would stop the TP device working.
With 2 vlans, there is no problem because remember with Cisco switches it is per vlan STP so the packet leaves the switch in one vlan and comes back into the switch on another vlan.
Jon
08-27-2011 03:36 PM
Shaun
If you want to connect any device in transparent/bridged mode then you do indeed use 2 vlans for the same IP subnet. The device then in effect "joins" the 2 vlans together.
The reason it is done is as you say to stop an STP loop. If you used the same vlan on both sides this would be a loop ie. imagine a switch with one vlan and you connect both sides (interfaces) of the TP (Tipping Point) to the switch.That means a packet leaves the switch to the TP and the same packet then comes back, on the same vlan back to the switch after goiing through the TP device. So the switch would have to block one of the ports which would stop the TP device working.
With 2 vlans, there is no problem because remember with Cisco switches it is per vlan STP so the packet leaves the switch in one vlan and comes back into the switch on another vlan.
Jon
08-28-2011 05:16 AM
Thank You Jon !
Once again, you have been the greatest of help.
I was trying to decide if I would problems with STP if I did this, in particular with CST but this helps enormously.
I'll go for that approach then. Also, Just remembered (i know, how can you forget what kit you specced ) I have VSS sups in the 6k's, so that simplifies my life a lot as well !..cool.
Cheers again Jon !
Shaun.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide