IDS-4210

Answered Question
Apr 12th, 2007
User Badges:

I noticed that the model IDS-4210 does not do INLINE inspection on software 5.1(3)


Will it do on newer versions ? or the 4210 cannot do it period ?

Correct Answer by marcabal about 10 years 3 months ago

Yes and No


The scheme you wrote up is right, but it does NOT route between vlan 1 and vlan 2.

The IPS will instead switch or bridge packets between vlan 1 and vlan 2.


What this means is that the IP Address on the router's vlan 1 interface MUST be in the same IP Subnet as the IP Address on the inside vlan.

The IPS will simply take the packets on vlan 1 and put them on vlan 2 (and vice versa), it will not "route" packets between 2 IP Subnets so the same IP Subnet must be used in both vlan 1 and vlan 2.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
marcabal Thu, 04/12/2007 - 07:09
User Badges:
  • Cisco Employee,

There are 2 types of inline inspection:

inline interface pairs - 2 physical interfaces are paired together and the inspection is done inline as the packets are passed between the 2 interfaces


inline vlan pairs - 1 physical interface is connected to a switch using a trunk port, 2 vlans on the trunk port are paired together and the inspection is done inline as the packets are switched between the 2 vlans


The IDS-4210 only have one monitoring interface, and so you can not create inline interface pairs.

But the IDS-4210 Does support inline vlan pairs on that one monitoring interface.



http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/cliguide/cliinter.htm#wp1057307


Rodrigo Gurriti Thu, 04/12/2007 - 10:48
User Badges:

Thank you


But one more question


The 4210 would have to act like a router to direct the packets from the internet to the inside network ?


I tried to look on configuration guides but they have no examples.


I assume that the network scheme would look something like this:


router ---vlan1

IDS ---vlan1/2

inside ---vlan2


am I right ?


PS. thank you marcabal for your post

Correct Answer
marcabal Thu, 04/12/2007 - 11:01
User Badges:
  • Cisco Employee,

Yes and No


The scheme you wrote up is right, but it does NOT route between vlan 1 and vlan 2.

The IPS will instead switch or bridge packets between vlan 1 and vlan 2.


What this means is that the IP Address on the router's vlan 1 interface MUST be in the same IP Subnet as the IP Address on the inside vlan.

The IPS will simply take the packets on vlan 1 and put them on vlan 2 (and vice versa), it will not "route" packets between 2 IP Subnets so the same IP Subnet must be used in both vlan 1 and vlan 2.



Actions

This Discussion