Hello Eric,

Still my dobt is not clear,

Suppose if i m connecting WSA on Core Switch in VLAN A connecting to P1 and the other port in VLAN B connecting to P2 both on different Ip address, WHY I need to do this ????

I can achieve the connection by connecting only 1 port to VLAN A.  Please correct me if i m wrong ??????

For ports T1 and T2 as per ur suggestion u told me to connect both the ports to avoid traffic drop,and to configure port mirroring for traffic               monitoring

Question: How is the traffic flow if P1 and T1 and T2 port are connected to Core Switch ??? (not on the firewall)

Answer Please.????????????????

P1 P2 is for Proxy.

T1 T2 has nothing to do with traffic flow directly.

It just monitors, or  sees a copy of the traffic the P1 should see, so it can then make  decision on what it sees, and tells the ironport to do any blocking if  needed.

To do traffic monitoring and blocking, the T1 needs to see what traffic the P1, P2 sees. That is why you mirror a switch port that will copy traffic that p1 p2 sees, and that mirror port, you connect to T1.

T1 is only able to handle so much traffic, anything it can not handle, will be dropped. So to avoid dropping traffic (thats is being monitored only, which should not affect normal traffic flow), you can use T1 for outgoing monitoring, and T2 for incoming monitoring.

I hope this answers your query.

Regards,

Eric

Hello Eric,

Thanks for ur replies and patients to make me understand Ironport placement in Network.I appreciate ur help.

Question Scenarios:

1. If i m connecting only P1 port and T1 port to my Core Switch (VSS Mode) then for traffic mirroring source port will be P1 and the destination port will be T1
2. If suppose i m connecting P1 and P2 and T1 and T2 ports on my Core Switch (VSS Mode) then for traffic mirroring source port will be P1 and T2 will be  destination for 1 monitor session and for another monitor seesion P2 will be the source and T1 will be the destiantion.
3. In which scenario we will face such situation that we need to connect port P1 and P2,, please give some example.
4. How i will achieve redundancy by ironport interfaces. Suppose if i m usng only P1 for send and receive traffic and that is connected to Core1 (VSS MODE),I have 2 Core's in VSS mode but i cant achieve redundancy i have shift cables manually from Core 1 to Core-2, how i shld design to get redundancy for Ironport so that either Switches (CORE)  fail users flowing to the internet shld not stop.

Please answer the above queries.

Thanks

1) Source is the same port or the vlan,  that P1 is connected to on the switch. Destination port is the port that T1 is connected to on the switch.

2) Mirroring can be set to receive, transmit or both. If using both T1 and T2, you should set the mirroring the way it will see the traffic, for T1, yuo want to see the outgoing traffic, so if it is monitoring an internal interface facing the client, you will want to mirror and just check for receive. On the same port, you can mirror to T2 for transmit. If it is mirroring a port that is on the internet, then the outgoing traffic will be the transmit you monitor, and send to T1, and the receive is incoming and mirror to T2.

If using only T1, then the mirroring should be set for both (not transmit only or receive only).

This should be in the span documentation link I provided to you previously.

3) The end user guide, it has the answer to this question.

http://www.cisco.com/en/US/docs/security/wsa/wsa7.1/user_guide/Cisco_IronPort_AsyncOS_7.1.0_User_Guide_for_Web_Security_Appliances.pdf

Page 3-4 it says

The appliance uses the Data interfaces for Web Proxy data traffic. You can enable and use just the P1 port or both the P1 and P2 ports for data traffic.
• P1 only enabled. When only P1 is enabled, connect it to the network for both incoming and outgoing traffic.
• P1 and P2 enabled. When both P1 and P2 are enabled, you must connect P1 to the internal network and P2 toward the Internet.

4) I guess you are no longer asking a Web Security Appliance specific issue,  but a Lan Switch Redundancy query. Maybe the Switch Forum can help.

The Web Security appliance (WSA) will deal with traffic it receives accordingly. So if you manage your switch routing to push the proxied traffic to the proxy port of the WSA, then the WSA will just treat the traffic like it treats any explicit forward traffic.

I hope these answers your questions.

Regards,

Eric

Thanks Eric

UR Hints are clearing my doubts,

Question-2 of previous mail is still not clear for me but what i m understanding is correct or wrong just confirm ????

Answer-2   monitor session 1 source (P1 interface connected on the switch)  rx

                 monitor session 1 destination (T1 interface connected on the switch)

                 monitor session 2 source (P2 interface connected on the switch)  tx

                 monitor session 2 destination (T2 interface connected on the switch)

Question 3  • P1 and P2 enabled. When both P1 and P2 are enabled, you must connect P1 to the internal network and P2 toward the Internet

The above  line in the book killing me to understand that's the reason i post it on the community question No 3 {  P2 towards the internet }  means what ?????.

P1 is also my internal network and P2 is also my internal network range then when does it mean by towards the internet ??????

Does it mean to say that P1 on the Core switch and the P2 on the Firewall DMZ.????

Question 4:  I guess you are no longer asking a Web Security Appliance specific  issue,  but a Lan Switch Redundancy query. Maybe the Switch Forum                     can  help.

Answer  NO this is related to WSA. My HP servers are having 2 NIC cards and are teamed for redundancy one is connected to Core 1 and the  other is connected to Core 2, Either of the Server NIC fails traffic will be routed by the other NIC OR Either of the Core fails traffic will still be forwarded.  So in this scenario i m achieving redundancy .

IN WSA scenario if i m connecting P1 and P2 on CORE-1 or only P1 to CORE-1, Incase of CORE-1 fails, i have a CORE-2 in place but i can get redundancy for WSA becz no such feature of TEAMING or NIC redundancy.

Please answer to my queries Eric,

Thanks

Q2) You need to think about the direction of the traffic from that interface/port/vlan.

Depending on how the direction is, you configure tc or rx.

Main thing is, T1 is to see the traffic from internal network going external network.

T2 is seeing external reply, towards internal network.

Q3) P1 will be the proxy connection for client to send traffic to.

P2 will be the traffic from WSA towards the internet, and reply from internet to WSA.

Routing configured manages this eventualy.

Q4) WSA does not do teaming. Please contact a Cisco SE to help you in making decisions about your designs in regards to redundancy, as it seems I could provide you some answers, but you will continue to have questions.

I hope this answers your query.

Regards,

Eric

Hello Eric,

I m asking u because from my point of view I want to be a smart Engineer rather than a parrot engineer reading books and mugging up. U r expert from Cisco that's the reason i m asking my queries.

Thanks for ur all replies and being patients to answer my queries.

Only answer to my last questio:

P1 will be the proxy connection for client to send traffic to.

P2 will be the traffic from WSA towards the internet, and reply from internet to WSA.

Routing configured manages this eventualy.

I know the above lines but they are not clear by practical view, Keep yourself in my situation and suppose U have common corporate design such as Access Switches--> CORE Switch---> Firewall-----Internet router------> ISP

Now answer me where u will connect P1 and P2, ???????

I will do my corporate design as per ur thinking.

Thanks

Thanks Dear,

U r great and very helpful, keep helping others and give your suggestions.

Thanks