Two 6500 One IPS 4260

Unanswered Question
Nov 3rd, 2008

Hi,

We have two 6509 switches and one IPS 4260 appliance (to protect servers).All the servers are homed directly on to the core switches. There is no server agggregation switch.So we plan ti use the IPS in promiscous mode.The server vlan will be on HSRP.So should the IPS be connected to only the core switch where serrver vlan is active and when there is a failure of that core, manually connect it to the other core.Basically we would also like to use the TCP reset feature.But a sensing interface cannot do a reset. So how can the IPS be properly placed in this scenario?

Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dhananjoy chowdhury Mon, 11/03/2008 - 22:00

I believe you can send TCP reset on the sensing interface as well.

Only need to specify the ingress vlan on the switch port to which the IPS sesing interface is connected.

Something like this, if server vlan is vlan 100 :-

monitor session 1 source vlan 100 rx

monitor session 1 destination interface Fa0/20 ingress vlan 100

And for redundancy, can you use two physical interfaces of the IPS, each connecting to different switch, and the traffic is monitored on the active SW interface.

Hope this helps.

Sonugnair_2 Tue, 11/04/2008 - 13:07

Hi Thanks for the reply. Actually on the 6500s we have FWSMs as well and the default gatewys for the servers are the FWSM.Basically we would like to protect the server fram from internal users using one IPS appliance 4260.(There is a separate IPS for outside users). Is it possible to do this in inline vlan pair mode in this scenario. ie server switcport in vlan 22 (L2 vlan), vlan 2 pushed to FWSM as interface vlan 2 for gateway of servers. The physical port that connects the IPS appliacnce to the core would be a trunk allowing both 22 and 2 and mapping done on IDS and then traffic sent to FWSM. is this feasible with scenario?

Thnaks in advance.

Actions

This Discussion