Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
420
Views
4
Helpful
2
Replies

IPS in inline vlan mode and VLAN 1

Go to solution
kasper123
Level 4
Level 4

‎03-25-2009 02:39 AM - last edited on ‎03-25-2019 05:18 PM by Community Manager

I'm trying to install a IPS 4255 in inline vlan pair mode but I have encountered a problem.

The thing is we have a network with several VLANs. Some of the servers along with some users are connected in VLAN 1. The servers are connected on a separate switch.

I would like to isolate the servers behind the IPS.

I created a new vlan 90, paired it with VLAN 1 on the IPS and placed the servers into the new VLAN 90. But this doesn't seem to work.

I tryied putting the trunk to the IPS on the core switch and also on the switch on which the servers are located but in both cases it didn't work.

I noticed that this setup seems to work with VLAN's other than VLAN 1 but I can't get it to work with VLAN 1.

Does anyone have an idea what might be the problem?

Thank you.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎03-25-2009 09:01 AM

Vlan 1 is by default the Native Vlan for the trunk port.

The native vlan traffic going out the trunk port will not have a vlan header.

So when the sensor gets the traffic it can't change the vlan header to be for vlan 90.

The sensor will not add a vlan header for packets that don't contain one.

So you have two options.

Either use a vlan other than 1.

Or the easier method is to change your switch config so that a different vlan is set as the Native Vlan for the trunk port.

Each switch could be different in the command to designate the native vlan for the trunk port.

For the Cat 6K running IOS it is "switchport trunk native vlan "

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/layer2.html#wp1034721

View solution in original post

2 Replies 2

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎03-25-2009 09:01 AM

Vlan 1 is by default the Native Vlan for the trunk port.

The native vlan traffic going out the trunk port will not have a vlan header.

So when the sensor gets the traffic it can't change the vlan header to be for vlan 90.

The sensor will not add a vlan header for packets that don't contain one.

So you have two options.

Either use a vlan other than 1.

Or the easier method is to change your switch config so that a different vlan is set as the Native Vlan for the trunk port.

Each switch could be different in the command to designate the native vlan for the trunk port.

For the Cat 6K running IOS it is "switchport trunk native vlan "

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/layer2.html#wp1034721

Go to solution
kasper123
Level 4
Level 4
In response to marcabal

‎03-26-2009 02:56 PM

Yes that was it. I changed the native vlan on the trunk to one different than Vlan 1 and it started working.

Thank you!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card