Is it possible to utilize the same switch for both the in and out paths into an IPS?
Each of the 1G copper ports may be a single vlan switchport or a trunk with multiple vlans. the 10G/40G switch will have 10G trunks in that uplink via the 40G link to/from the IPS.
The 10G/40G switch is a nexus 93180YC-FX with 48 10G ports. The idea is to split the switch down the middle, use ports 1-24,49 for the in path, ports 25-48,50 for the out path.
Not sure how to keep the 2 paths segregated, if it's possible.
Attached is the diagram.
1. If the two switchports facing the IPS are in access mode (in different VLANs), the switch will send untagged BPDU's and if the IPS forwards these in between its ports, one of the ports on the switch will be BLK; so either you configure BPDUFilter so the switch does not send BPDU's out, either you configure the IPS to block the BPDUs.
2. If the two swtichports facing the IPS are in trunk mode (with multiple allowed VLANs), the switch will send both tagged and untagged BPDU's, in the end the result is the same as above.
So it works, you just need to fix STP.
How do I keep the “in” traffic from just hopping from a trunk link on (for example) port 2 over to an “out” trunk link (port 26), bypassing the IPS? The 93180 doesn’t have the ability to use vdc’s.
Usually, when you have 2 ports attached to the IPS from the same switch, you put these in access mode in different VLAN's so traffic forced through the IPS, for traffic to hop between VLAN's. Who you have a trunk port towards the IPS, to force traffic through the IPS, the IPS would need to do VLAN translation, traffic gets in tagged VLAN 20 and goes out tagged VLAN 30.