Thanks rhermes,

but in one end, there is ASA with eight subinterface with eight vlans, and the other end is the switch with trunk port.

In IPS, if I configure inline vlan pair, it is only allow me to bridge two vlan not eight vlan.

if you have any design suggestion how to connect IPS between ASA and switch with 8 vlan, that would be very appreciated.

thanks

Alex

The in-line mode of the IPS sensors allows you to specify multiple in-line VLAN pairs.

I would suggest to use atleast 2 physical interface on the IPS device for the 8 vlans you have.

In inline VLAN pair, the IPS interface is doing the VLAN translation.

So, only allow the specific vlans on the trunk port, something like this:-

int f0/20

switchport trunk encapsulation dot1

switchport mode trunk

switchport trunk allowed vlan 11,12,13,14

int f0/21

switchport trunk encapsulation dot1

switchport mode trunk

switchport trunk allowed vlan 111,112,113,114

connect f0/10 and f0/20 to different interfaces on the IPS.

On the IPS, create vlan pairs, for vlan 11,12,13,14 and vlans 111,112,113,114.

Hope this helps

thanks for your very useful info.

I just found that I can simply connect IPS between ASA and switch and configure inline physical pair without to define vlan pair. in this situation, IPS inspect all traffic and ports in IPS act like trunk and it doesn't care about vlan ID.

am I right? I hope I am.

thanks

Alex

yes you are right, if its inline physical interface pair, then you don't have to care about the vlans.