Help with inline VLAN Pair and switch configuration

Unanswered Question
Aug 28th, 2009

Hello,

I'm new to IPS and IDS in general, but I have an IPS-4255 and a couple of Catalyst 2900 switches to experiment with. I'm currently trying to enable an Inline VLAN Pair configuration on the IPS and have a simple setup.

SW1 and SW2 have vlans 100 and 200 configured. PC1 and PC2 are on the same IP range (no routing). PC1 on vlan 100 connects to Sw1. PC2 on vlan 200 connects to SW2. The IPS connects to a SW2 trunking port, and SW1 and SW2 are connected together on another trunking port.

I know that my trunking is working because PC1 and PC2 can ping each other whenever they are on the same vlan of either switch. But, they can't ping when on the separate vlans.

From what I've read, the IPS with an Inline VLAN Pair acts as a bridge between the two vlans and should forward the traffic if it passes inspection. However, the IPS does not appear to see any traffic at all.

My IPS is configured with inline VLAN pair 100->200 and associated to vs0.

Have I missed something in my config somewhere? Or am I misunderstanding how inline VLAN Pairs are supposed to work?

Below are my configs for the switches and the IPS.

Any help would be appreciated. Thank you!

------------------------------

IPS Config

service interface

physical-interfaces GigabitEthernet0/0

no description

admin-state enabled

duplex auto

speed auto

alt-tcp-reset-interface interface-name GigabitEthernet0/3

subinterface-type inline-vlan-pair

subinterface 1

description test

vlan1 100

vlan2 200

exit

exit

service analysis-engine

virtual-sensor vs0

physical-interface GigabitEthernet0/0 subinterface-number 1

inline-TCP-session-tracking-mode vlan-only

exit

exit

SW1 and SW2 config

interface FastEthernet0/1

switchport access vlan 100

!

interface FastEthernet0/9

switchport access vlan 200

!

interface FastEthernet0/18

switchport trunk encapsulation dot1q

switchport mode trunk

interface FastEthernet0/24 (Sw 2 only)

description IPS port

switchport trunk encapsulation dot1q

switchport mode trunk

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
marcabal Fri, 08/28/2009 - 13:12

It has been awhile since I've dealt with a 2900 switch to I am just trying to guess at what may be wrong with your setup.

I noticed that neither of your trunk port configuration are specifically stating which vlans are allowed on the trunks.

It is possible that for the trunk between the 2 switches there may be some protocol negotiation so the switches can determine which vlans to trunk, BUT no such negotiation will happen with the sensor. If I remember right you will need to specifically state which vlans the trunk to the sensor should carry. If I remember right the commmand would be something like:

switchport trunk allowed-vlan 100,200

You will want to find the show command on your switch that will show you which vlans are actually being trunked by the port. It might be something like "show switchport trunk"

And you will want to verify that the switch is actually trunking vlans 100 and 200 to your sensor.

On your sensor you will want to execute "show interfaces" and look at the statistics for Gig0/0 to see if it is receiving packets on vlan 100 and 200.

You can also run "packet display GigabitEthernet0/0" to see if any packets are making it to your sensor.

You will also want to check Link status and make sure your sensor is linking up properly with your switch. A common mistake is to connect the wrong ports, as some sensors do not have the port numbers clearly marked.

NOTE: If the above doesn't help, then take the additional step of eliminating the second switch. Attach both pcs to the same SW2 switch (1 in each vlan). The second switch isn't necessary to test the inline vlan pair functionality. Connecting both PCs to the same switch will help eliminate any possibility of misconfiguration between the 2 switches.

Actions

This Discussion