Solved: Tippingpoint and FWSM

roadhouse1387 · ‎08-27-2011

Hi All,

I am working on a design which requires me to connect an HP tippingpoint IPS device behind a FWSM context. So, inline with the inside interface of the FWSM.

I'm new to tippingpoint, and HP's site is the absolute pits for design and operation information..loads of broken links...no informaton at all. So sorry if I am about to ask some daft questions.

I have the cat6ks connected to each other at layer 3 (point to point routed etherchannel). I also have a 3750+swise switchpair between them which i am using to breakout and extend my FWSM vlans between the cores. The 3750 uplinks are connected to the sup ports so i'm relaxed about vlan integrity.

What i'm strugling with is how do i physically connect the TP IPS inline on the inside FWSM vlan. I have a couple of ports on the 3750 in the right vlan, but If i just plug the IPS into them, will I not end up with a STP loop and a shut port ?

Could I use a pair of vlans to do this ?

i.e. get the IPS to bridge the vlans (why does this not cause STP loops? )

SWITCH A- .....FWSM inside i/f-(IP 10.1.1.1)--> vlan 100 ----->IPS---->Vlan 200--->SVI (IP 10.1.1.3)

^ ^

| |

v v

SWITCH B-...... FWSM inside i/f (IP 10.1.1.2--> vlan 100------>IPS---->Vlan 200--->SVI (IP 10.1.1.4)

and as I have a pair of switches, I would need to do the same thing on the other switch, will I get a STP loop through the IPS attached to switch B ?

Any help would be great.

Cheers

Shaun

Jon Marshall · ‎08-27-2011

Shaun

If you want to connect any device in transparent/bridged mode then you do indeed use 2 vlans for the same IP subnet. The device then in effect "joins" the 2 vlans together.

The reason it is done is as you say to stop an STP loop. If you used the same vlan on both sides this would be a loop ie. imagine a switch with one vlan and you connect both sides (interfaces) of the TP (Tipping Point) to the switch.That means a packet leaves the switch to the TP and the same packet then comes back, on the same vlan back to the switch after goiing through the TP device. So the switch would have to block one of the ports which would stop the TP device working.

With 2 vlans, there is no problem because remember with Cisco switches it is per vlan STP so the packet leaves the switch in one vlan and comes back into the switch on another vlan.

Jon

View solution in original post

Jon Marshall · ‎08-27-2011

Shaun

If you want to connect any device in transparent/bridged mode then you do indeed use 2 vlans for the same IP subnet. The device then in effect "joins" the 2 vlans together.

The reason it is done is as you say to stop an STP loop. If you used the same vlan on both sides this would be a loop ie. imagine a switch with one vlan and you connect both sides (interfaces) of the TP (Tipping Point) to the switch.That means a packet leaves the switch to the TP and the same packet then comes back, on the same vlan back to the switch after goiing through the TP device. So the switch would have to block one of the ports which would stop the TP device working.

With 2 vlans, there is no problem because remember with Cisco switches it is per vlan STP so the packet leaves the switch in one vlan and comes back into the switch on another vlan.

Jon

roadhouse1387 · ‎08-28-2011

Thank You Jon !

Once again, you have been the greatest of help.

I was trying to decide if I would problems with STP if I did this, in particular with CST but this helps enormously.

I'll go for that approach then. Also, Just remembered (i know, how can you forget what kit you specced ) I have VSS sups in the 6k's, so that simplifies my life a lot as well !..cool.

Cheers again Jon !

Shaun.