When dealing with inline vlan pairs here are some basic things to keep in mind:
1) A single interface can have up to around 250 inline vlan pairs.
2) The maximum number of vlan pairs for a sensor would be around 250 times the number of monitoring interfaces. So an IPS-4240 with 4 monitoring interfaces could have around 1,000 inline vlan pairs. (Of course I don't recommend trying to actually use that many.)
3) Adding inline vlan pairs does NOT increase the total performance capability of the sensor. The sensor's performance is independant of the number of inline vlan pairs. It is the aggregate of traffic across all of the inline vlan pairs that must fit within the sensor's performance capability.
4) Most sensors only support 4 virtual sensors (some lower end sensors only support a single virtual sensor). So no matter how many inline vlan pairs you have, you can only separate them across these 4 virtual sensors. Which usually means you have to monitor multiple inline vlan pairs in a single virtual sensor.
5) A vlan can belong to only 1 inline vlan pair PER INTERFACE. So if on Ge0/0 you paired vlan 10 with vlan 11. Then you can NOT create a vlan 10 and vlan 12 pair on the SAME Ge0/0. BUT you can create a vlan 10 and vlan 11 pair (or a vlan 10 and vlan 12 pair) on another interface Ge0/1.
So a vlan can belong to only 1 pair per interface. But it can be paired with the same vlan on another interface, or paired with a different vlan on another interface.
In my examples from before you would create 3 pairs of vlans on one interface connected to the left switch, and then create the SAME 3 pairs for the interface connected to the right switch.
6) If you will be creating the same vlan pairs on multiple interfaces, then you want to be sure to use the same subinterface numbers for the pairs on the 2 interfaces.
So if vlan pair 10 and 110 is subinterface 2 on Ge0/0, it should also be subinterface 2 on Ge0/1.
7) If you will be monitoring multiple inline vlan pairs in the same virtual sensor, then it is best to set the inline-TCP-session-tracking mode to vlan-only. The sensor will combine traffic from vlan pair 10 and 110 from Ge0/0 with the same vlan pair 10 and 110 from Ge0/1 when monitoring TCP connections, but will not try to mix in traffic from other pairs like vlan pair 11 and 111.
This is necessary because in many cases you might wind up with a client on vlan 110 trying to talk with a server on vlan 111. The client traffic comes in vlan 110, gets monitored by the sensor, and gets paired with vlan 10 to go out to the router. It then comes back from the router on vlan 11, gets monitored by the sensor again, and gets paired with vlan 111 to go out to the server. And vice versa for server response traffic.
With the default inline-TCP-session-tracking mode the sensor will try to combine the traffic from the 2 inline vlan pairs. The sensors winds up seeing the same packet twice (once in each pair), and if tries to combine these duplicate packets into it's view of a single TCP connection, the sensor winds up getting confused. Because though it is the same packet as far as content, the packet header gets modified by the router. These changes in the packet header are what causes the sensor confusion and can look like an attack.
So by setting inline-TCP-session-tracking mode to vlan-only (instead of the default), the sensor now treats this single TCP connection as if it were 2 connections. It tracks one of them on vlan 10 and 110 pair, and treats it as a second connection on the vlan 11 and 111 pair. This avoids the confusion, and the sensor is able to properly track and monitor the traffic.
