IPS 4240 inline pair

Unanswered Question
Nov 2nd, 2008

Hi All,

Can I use inline pair in IPS as trunk? The IPS is connected to ASA in one end and connected to switch to another end. I'd like to use inline pair but I am not sure if it can pass all vlan traffic.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
alex goshtaei Mon, 11/03/2008 - 08:43

Thanks rhermes,

but in one end, there is ASA with eight subinterface with eight vlans, and the other end is the switch with trunk port.

In IPS, if I configure inline vlan pair, it is only allow me to bridge two vlan not eight vlan.

if you have any design suggestion how to connect IPS between ASA and switch with 8 vlan, that would be very appreciated.



rhermes Mon, 11/03/2008 - 10:46

The in-line mode of the IPS sensors allows you to specify multiple in-line VLAN pairs.

dhananjoy chowdhury Mon, 11/03/2008 - 21:49

I would suggest to use atleast 2 physical interface on the IPS device for the 8 vlans you have.

In inline VLAN pair, the IPS interface is doing the VLAN translation.

So, only allow the specific vlans on the trunk port, something like this:-

int f0/20

switchport trunk encapsulation dot1

switchport mode trunk

switchport trunk allowed vlan 11,12,13,14

int f0/21

switchport trunk encapsulation dot1

switchport mode trunk

switchport trunk allowed vlan 111,112,113,114

connect f0/10 and f0/20 to different interfaces on the IPS.

On the IPS, create vlan pairs, for vlan 11,12,13,14 and vlans 111,112,113,114.

Hope this helps

alex goshtaei Mon, 11/03/2008 - 22:15

thanks for your very useful info.

I just found that I can simply connect IPS between ASA and switch and configure inline physical pair without to define vlan pair. in this situation, IPS inspect all traffic and ports in IPS act like trunk and it doesn't care about vlan ID.

am I right? I hope I am.



dhananjoy chowdhury Tue, 11/04/2008 - 01:22

yes you are right, if its inline physical interface pair, then you don't have to care about the vlans.


This Discussion