Switch in front of IPS & Firewall

MICHAEL KALOPETRIDES · ‎03-28-2011

I have a router 3845 connected on the inside lan by a wan L2 switch on VLAN 2 on same switch on VLAN2 I connected Tippoint IPS/IDS the outside of IPS/IDS goes on same switch on VLAN 7. On VLAN 7 I have Checkpoint Firewalls in cluster and inside lan on firewall is connected on 2 c3750 Layer 3 switches on VLAN 80.

On the Layer 2 wan switch I get vlan missmach error since IPS/IDS is on transparent mode

I am wondering if all what I described is the proper way of connecting IPS/IDS and firewalls

I need to know more on the layer 2 (wan switch side)

Is very simmilar to CISCO ASA connection but I could not find examples of the switch configurations.

IAN WHITMORE · ‎03-29-2011

Yeah if they are on the same switch, the switch will "moan" because of the vlan mismatch. We had the same on our netenforcer but just lived with it. It didn't impact performance. Just watch your log files if you have sys logging cos they will fill up!

I hope someone can give you a better answer

Regards,

Ian

hobbe · ‎03-29-2011

Hi

I would try to avoid the setup you have.

First of all you have all redundant but not the switch ?

Second you can actually bypass the network IPS through this switch configuration by just changing vlan.

if you can live with single point of faliure then I would setup 2-3 2960G-8TT or something like that instead and not use one singel point where if someone would be able to redirect all traffic around the ips devices.

if you can not live with a single point of faliure then I would change it to 4-6 2960 and 2 3845 routers.

Since I do not know what you are using vlan 4 to do its hard to speculate if you need redundancy there or not.

Good luck

HTH