cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
628
Views
0
Helpful
9
Replies
bkoch1
Beginner

Using the same switch for IPS in and out paths

Is it possible to utilize the same switch for both the in and out paths into an IPS?

Each of the 1G copper ports may be a single vlan switchport or a trunk with multiple vlans. the 10G/40G switch will have 10G trunks in that uplink via the 40G link to/from the IPS.

The 10G/40G switch is a nexus 93180YC-FX with 48 10G ports. The idea is to split the switch down the middle, use ports 1-24,49 for the in path, ports 25-48,50 for the out path.

Not sure how to keep the 2 paths segregated, if it's possible.

Attached is the diagram.

9 REPLIES 9
Reza Sharifi
Hall of Fame Expert

What type of IPS do you have and what are you trying to do with it?

HTH

vwire ports on a Palo Alto, so it's transparent to the traffic flow.

Hi,

 

    1. If the two switchports facing the IPS are in access mode (in different VLANs), the switch will send untagged BPDU's and if the IPS forwards these in between its ports, one of the ports on the switch will be BLK; so either you configure BPDUFilter so the switch does not send BPDU's out, either you configure the IPS to block the BPDUs.

  2. If the two swtichports facing the IPS are in trunk mode (with multiple allowed VLANs), the switch will send both tagged and untagged BPDU's, in the end the result is the same as above.

 

So it works, you just need to fix STP.

 

Regards,

Cristian Matei.

How do I keep the “in” traffic from just hopping from a trunk link on (for example) port 2 over to an “out” trunk link (port 26), bypassing the IPS? The 93180 doesn’t have the ability to use vdc’s.

Hi,

 

   Usually, when you have 2 ports attached to the IPS from the same switch, you put these in access mode in different VLAN's so traffic forced through the IPS, for traffic to hop between VLAN's. Who you have a trunk port towards the IPS, to force traffic through the IPS, the IPS would need to do VLAN translation, traffic gets in tagged VLAN 20 and goes out tagged VLAN 30.


Regards,

Cristian Matei.

  

DO you have configuration examples of this?



It would be a trunk link into and out the IPS links (with the IPS being a bump in the wire).


Hi,

   

   For example the legacy Cisco IPS was feature-rich from the deployment options point of view.

 

Regards,

Cristian Matei.

Are you available for a webex?


Sorry, got my threads mixed up.