05-25-2010 08:46 PM - edited 03-10-2019 01:42 PM
Hi,
I have 2 * 6509s with VSS configured. Recently we have purchased 2 * 4260 IPS to monitor the complete traffic to the Server VLAN (VLAN 10). I did the below steps
Create a new Vlan (Vlan 20)
Clear the Interface Vlan 10 IP address
Configure Interface Vlan 20 with the same Ip Address which was configured on Vlan 10
Configure 1/4/47 and 2/4/47 on Vlan 10 and 1/4/48 and 2/4/48 on Vlan 20
Configure 1/4/47 and 2/4/47 in port channel 10 and 1/4/48 and 2/4/48 in port channel 20 on the 6500 VSS Switches
Configure the IPS in Interface Pair mode between Gi1/0 and 1/1
Connect Gi 1/0 of IPSs in 1/4/47 and 2/4/47
Connect Gi 1/1 of IPSs in 1/4/48 and 2/4/48
The core switches started making some loops and all communication became very slow. Please advise.
Regards,
Jaison
05-26-2010 08:52 AM
The interface Pari mode should be the correct way to externally connect two VLANs on your 6500 through your 4260.
Are you are setting the 6509 interfaces to trunk for sending the traffic to the IPS? (they should be set to just a plain VLAN member, not a trunk)
How are you connecting the 4260 Gi 1/0 to BOTH 1/4/47 and 2/4/47?
Configure the IPS in Interface Pair mode between Gi1/0 and 1/1
Connect Gi 1/0 of IPSs in 1/4/47 and 2/4/47
Connect Gi 1/1 of IPSs in 1/4/48 and 2/4/48
- Bob
05-26-2010 08:23 PM
Hi,
Both IPS are configured inline interface pair mode and all the ports are access ports. To load balance between the IPS I have configure Port Channels between 1/4/47, 2/4/47 and 1/4/48, 2/4/48.
05-27-2010 05:28 AM
Jaison;
Depending on how the load-balancing is operating, and having the sensors operating in inline mode could cause potential issues due to the functionality provided by the IPS normalizer engine. This engine attempts to correct traffic that is potentially evading IPS detection (sending traffic out of order, heavily fragmented, etc). If the single sensor cannot see the entire conversation, the normalizer may begin denying packets for these flows. You can determine if the normalizer is actively detecting issues by looking for high signature counts for signatures in the range 1300-1399. The easiest method to see this is to issue "sh stat virt | inc Sig" (this is case sensitive).
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide