IPS in inline vlan mode and VLAN 1

Answered Question
Mar 25th, 2009

I'm trying to install a IPS 4255 in inline vlan pair mode but I have encountered a problem.

The thing is we have a network with several VLANs. Some of the servers along with some users are connected in VLAN 1. The servers are connected on a separate switch.

I would like to isolate the servers behind the IPS.

I created a new vlan 90, paired it with VLAN 1 on the IPS and placed the servers into the new VLAN 90. But this doesn't seem to work.

I tryied putting the trunk to the IPS on the core switch and also on the switch on which the servers are located but in both cases it didn't work.

I noticed that this setup seems to work with VLAN's other than VLAN 1 but I can't get it to work with VLAN 1.

Does anyone have an idea what might be the problem?

Thank you.

I have this problem too.
0 votes
Correct Answer by marcabal about 7 years 8 months ago

Vlan 1 is by default the Native Vlan for the trunk port.

The native vlan traffic going out the trunk port will not have a vlan header.

So when the sensor gets the traffic it can't change the vlan header to be for vlan 90.

The sensor will not add a vlan header for packets that don't contain one.

So you have two options.

Either use a vlan other than 1.

Or the easier method is to change your switch config so that a different vlan is set as the Native Vlan for the trunk port.

Each switch could be different in the command to designate the native vlan for the trunk port.

For the Cat 6K running IOS it is "switchport trunk native vlan "

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/layer2.html#wp1034721

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Correct Answer
marcabal Wed, 03/25/2009 - 09:01

Vlan 1 is by default the Native Vlan for the trunk port.

The native vlan traffic going out the trunk port will not have a vlan header.

So when the sensor gets the traffic it can't change the vlan header to be for vlan 90.

The sensor will not add a vlan header for packets that don't contain one.

So you have two options.

Either use a vlan other than 1.

Or the easier method is to change your switch config so that a different vlan is set as the Native Vlan for the trunk port.

Each switch could be different in the command to designate the native vlan for the trunk port.

For the Cat 6K running IOS it is "switchport trunk native vlan "

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/layer2.html#wp1034721

kasper123 Thu, 03/26/2009 - 14:56

Yes that was it. I changed the native vlan on the trunk to one different than Vlan 1 and it started working.

Thank you!

Actions

This Discussion