IDSM-2 virtualization with the exception of VLAN groups on inline interface

Unanswered Question
May 15th, 2009
User Badges:

Please comment the feature that the IDSM-2 supports virtualization with the exception of VLAN groups on inline interface pairs.

(http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliAnEng.html)


How can one configure VLAN groups on inline pairs? Please give an example by CLI.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
vmoopeung Thu, 05/21/2009 - 17:52
User Badges:
  • Bronze, 100 points or more

You can associate VLANs in pairs on a physical interface. This is known as Inline VLAN Pair mode. Packets received on one of the paired VLANs are analyzed and then forwarded to the other VLAN in the pair. You can divide each physical interface or inline interface into VLAN group subinterfaces, each of which consists of a group of VLANs on that interface. You cannot divide physical interfaces that are in inline VLAN pairs into VLAN groups.



marcabal Thu, 05/21/2009 - 20:31
User Badges:
  • Cisco Employee,

The IDSM-2 does support Inline Vlan Pairs as the previous responder described. You can have up to 250 inline vlan pairs on an interface.




The IDSM-2 does NOT support Vlan Groups on an Inline Interface Pair.


The Appliances do support Vlan Groups on an Inline Interface Pair because they can have a switch on one side, and another switch (or router, or firewall) on the other side. The 2 devices could then be Trunking multiple vlans through the Appliance.


You cannot, however, do this with an IDSM-2.

Vlan IDs are not modified when going through an Inline Interface Pair. Which means the same vlan must exist on both sides of the pair.

The problem with the IDSM-2 is that for Inline Interface Pair to work each port must be an Access Port for a different vlan. So the Inline Interface Pair joins 2 different vlans. Since it cannot rewrite the vlan headers the packets Must enter the IDSM-2 WITHOUT vlan headers so they can be passed between the 2 different vlans. Since the packets won't have vlan header you can not make vlan groups.


if you need to rewrite the vlan header (usually because you need more than 1 pair of vlans), then you use Inline Vlan Pairs on a single interface instead of Inline Intercface Pairs.



k.dmowski Thu, 05/21/2009 - 22:00
User Badges:

Thank you very much for your e-mail with explanations.


Please tell me if information below are true ( from the IPS 6.0 course)


Virtualization Platforms


 The Cisco Catalyst 6500 Series IDSM-2 supports multiple virtual sensors except for VLAN groups on inline interface pairs.



Differences between Cisco Catalyst 6500 Series IDSM-2 and Cisco IPS 4200 Series Sensors

The Cisco Catalyst 6500 Series IDSM-2 has these differences:

 It does not support sensor virtualization with inline VLAN groups.


Best regards

Kazimierz

marcabal Thu, 05/21/2009 - 22:31
User Badges:
  • Cisco Employee,

Yes, they are true.


The last sentence "it does not support sensor virtualization with inline VLAN groups" is confusingly worded but is True.

It means the same thing as "it does not support VLAN groups on inline interface pairs."


The IDSM-2 does NOT support VLAN groups on inline interface pairs. The IDSM-2 DOES support inline vlan pairs, and inline vlan pairs can be used with multiple virtual sensors.



k.dmowski Sun, 06/07/2009 - 01:11
User Badges:

Hi Marcoa


Thank you very much for your comments.


Best regards

Kazimierz



Actions

This Discussion