04-04-2020 11:51 AM
Is it possible to utilize the same switch for both the in and out paths into an IPS?
Each of the 1G copper ports may be a single vlan switchport or a trunk with multiple vlans. the 10G/40G switch will have 10G trunks in that uplink via the 40G link to/from the IPS.
The 10G/40G switch is a nexus 93180YC-FX with 48 10G ports. The idea is to split the switch down the middle, use ports 1-24,49 for the in path, ports 25-48,50 for the out path.
Not sure how to keep the 2 paths segregated, if it's possible.
Attached is the diagram.
04-04-2020 12:24 PM
What type of IPS do you have and what are you trying to do with it?
HTH
04-04-2020 05:00 PM
vwire ports on a Palo Alto, so it's transparent to the traffic flow.
04-05-2020 05:43 AM
Hi,
1. If the two switchports facing the IPS are in access mode (in different VLANs), the switch will send untagged BPDU's and if the IPS forwards these in between its ports, one of the ports on the switch will be BLK; so either you configure BPDUFilter so the switch does not send BPDU's out, either you configure the IPS to block the BPDUs.
2. If the two swtichports facing the IPS are in trunk mode (with multiple allowed VLANs), the switch will send both tagged and untagged BPDU's, in the end the result is the same as above.
So it works, you just need to fix STP.
Regards,
Cristian Matei.
04-05-2020 08:37 AM
How do I keep the “in” traffic from just hopping from a trunk link on (for example) port 2 over to an “out” trunk link (port 26), bypassing the IPS? The 93180 doesn’t have the ability to use vdc’s.
04-06-2020 09:19 AM
Hi,
Usually, when you have 2 ports attached to the IPS from the same switch, you put these in access mode in different VLAN's so traffic forced through the IPS, for traffic to hop between VLAN's. Who you have a trunk port towards the IPS, to force traffic through the IPS, the IPS would need to do VLAN translation, traffic gets in tagged VLAN 20 and goes out tagged VLAN 30.
Regards,
Cristian Matei.
04-06-2020 10:33 AM
04-06-2020 10:45 AM
Hi,
For example the legacy Cisco IPS was feature-rich from the deployment options point of view.
Regards,
Cristian Matei.
04-06-2020 12:31 PM
04-06-2020 12:57 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide