11-02-2008 07:12 PM - edited 03-10-2019 04:21 AM
Hi All,
Can I use inline pair in IPS as trunk? The IPS is connected to ASA in one end and connected to switch to another end. I'd like to use inline pair but I am not sure if it can pass all vlan traffic.
thanks
Alex
11-03-2008 08:29 AM
yes, they're called in-line vlan pairs.
11-03-2008 08:43 AM
Thanks rhermes,
but in one end, there is ASA with eight subinterface with eight vlans, and the other end is the switch with trunk port.
In IPS, if I configure inline vlan pair, it is only allow me to bridge two vlan not eight vlan.
if you have any design suggestion how to connect IPS between ASA and switch with 8 vlan, that would be very appreciated.
thanks
Alex
11-03-2008 10:46 AM
The in-line mode of the IPS sensors allows you to specify multiple in-line VLAN pairs.
11-03-2008 09:49 PM
I would suggest to use atleast 2 physical interface on the IPS device for the 8 vlans you have.
In inline VLAN pair, the IPS interface is doing the VLAN translation.
So, only allow the specific vlans on the trunk port, something like this:-
int f0/20
switchport trunk encapsulation dot1
switchport mode trunk
switchport trunk allowed vlan 11,12,13,14
int f0/21
switchport trunk encapsulation dot1
switchport mode trunk
switchport trunk allowed vlan 111,112,113,114
connect f0/10 and f0/20 to different interfaces on the IPS.
On the IPS, create vlan pairs, for vlan 11,12,13,14 and vlans 111,112,113,114.
Hope this helps
11-03-2008 10:15 PM
thanks for your very useful info.
I just found that I can simply connect IPS between ASA and switch and configure inline physical pair without to define vlan pair. in this situation, IPS inspect all traffic and ports in IPS act like trunk and it doesn't care about vlan ID.
am I right? I hope I am.
thanks
Alex
11-04-2008 01:22 AM
yes you are right, if its inline physical interface pair, then you don't have to care about the vlans.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: