Configuring IPS High Bandwidth Using EtherChannel Load Balancing

Unanswered Question
Mar 24th, 2009

I saw the message which is written below in this address ;

“The IPS appliances must be in on-a-stick mode, meaning that the IPS appliance can only use one sensing port on that Catalyst switch. That port is trunked so that the IPS appliance has an inbound and outbound path to and from the switch.”

My question is ;

Can I have one IPS with three or four ports attached to the same switch in an etherchannel?

Thank you.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
marcabal Tue, 03/24/2009 - 07:09


Lets take the IPS-4270 with a 4 GE card as an example.

The IPS-4270 is rated at it's top end at about 4 Gbps.

Which is way more than a single GE interface can handle.

Let's say you want to do inline monitoring on your network. You place most of your machines on vlan 10, and move the primary router for that network into vlan 11.

You configure an inline vlan pair to pair vlans 10 and 11 on port Ge 3/0 of your sensor.

You connect Ge 3/0 to your switch and make it a trunk for vlans 10 and 11.

Now you can monitor up to 1 Gbps of traffic because you are using a GE port, and your sensor is rated higher than 1 Gbps.

To increase your monitoring capability you create the same inline vlan pair that pairs vlan 10 and 11 on each of the other 3 interfaces of your sensor (Ge 3/1, 3/2, 3/3).

Now on your switch you do NOT independantly make the other 3 ports trunk ports of vlan 10 and 11.

INSTEAD you take the original switch port and the 3 new switch ports and you put them into an etherchannel.

You then make the etherchannel into a trunk port of vlans 10 and 11.

Now traffic will be divided across the 4 ports and all go the same sensor.

This in effect gives you UP TO 4 Gbps of monitoring because you have 4 GE ports, and your sensor is capable of monitoring UP TO 4 Gbps.

NOTE: I say UP TO, because the etherchannel algorythm is not a perfect balancer. It depends on how random your traffic is as to how well it will balance. And the 4270 is rated UP TO 4 Gbps. Some traffic is harder to monitor and so performance will be lower with some traffic. You also want to be sure you are using a switch module that can handle 1 Gbps per port. In the Cat 6K for example, the 6548 card can NOT handle 1 Gbps on each port. You have to use the 6748 card which is higher performing and has separate buffers for each port.


Now you can also add a second IPS-4270 into the mix.

Configure it's 4 interfaces for inline vlan pair of vlans 10 and 11.

And add it's 4 switch ports in the etherchannel.

Be sure to configure the etherchannel to distribute based on both source and dest IP.

The switch will send both client and server traffic for a connection to the same port, so it will have both directions of traffic for the connection monitored by the same sensor.

now yo9ur throughput is UP TO 8 Gbps with the 2 IPS-4270s.

burakdinci Wed, 03/25/2009 - 00:53

Thanks for your reply. I have got another questions.

I have got two core switches. They are running redundant with HSRP. One of them is hsrp active and spanning tree root for all vlans , the other is hsrp passive and spanning tree secondary for all vlans. I have got a server vlan which i would like to inspect traffic to this vlan from all other user vlans. All servers are connected to the backbone switches via another aggregation switches. We have got 6 aggragation swtiches and all of them are connected to the backbone switches via 1 gigabit f/o uplinks. Because of that , i need 6 gbps throghput for the IPS system which will protect the server VLAN.

Which topology do you recommend for this purpose ? Should i use another switches to connect all IPS devices to the backbone switches ? Or should i connect IPS devices directly to the backbone switches ? Which one is more preferrable for performance and redundancy ?

Kind Regards...

cpradoscarvajal Fri, 12/02/2011 - 04:14

Hi marcabal,

Can i do this config in a VSS (Virtual Switch System) Environment?.

I have one IPS 4720 and i would like to connect it to the VSS and create a MEC (Multi chassis etherchannel) to split the traffic load over for of the sensor interfaces (all the interfaces would be monitoring tha same VLANS).


This Discussion