Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
656
Views
0
Helpful
3
Replies

Server Vlan Monitoring through IPS 4260

Jaison Jose
Level 1
Level 1

‎05-25-2010 08:46 PM - edited ‎03-10-2019 01:42 PM

Hi,

I have 2 * 6509s with VSS configured. Recently we have purchased 2 * 4260 IPS to monitor the complete traffic to the Server VLAN (VLAN 10). I did the below steps

Create a new Vlan (Vlan 20)

Clear the Interface Vlan 10 IP address

Configure Interface Vlan 20 with the same Ip Address which was configured on Vlan 10

Configure 1/4/47 and 2/4/47 on Vlan 10 and 1/4/48 and 2/4/48 on Vlan 20

Configure 1/4/47 and 2/4/47 in port channel 10 and 1/4/48 and 2/4/48 in port channel 20 on the 6500 VSS Switches

Configure the IPS in Interface Pair mode between Gi1/0 and 1/1

Connect Gi 1/0 of IPSs in 1/4/47 and 2/4/47

Connect Gi 1/1 of IPSs in 1/4/48 and 2/4/48

The core switches started making some loops and all communication became very slow. Please advise.

Regards,

Jaison

Labels:
0 Helpful
3 Replies 3

rhermes
Level 7
Level 7

‎05-26-2010 08:52 AM

The interface Pari mode should be the correct way to externally connect two VLANs on your 6500 through your 4260.

Are you are setting the 6509 interfaces to trunk for sending the traffic to the IPS? (they should be set to just a plain VLAN member, not a trunk)

How are you connecting the 4260 Gi 1/0 to BOTH 1/4/47 and 2/4/47?

Configure the IPS in Interface Pair  mode between Gi1/0 and 1/1

Connect Gi 1/0 of  IPSs in 1/4/47 and 2/4/47

Connect Gi 1/1 of IPSs  in 1/4/48 and 2/4/48

- Bob

0 Helpful

Jaison Jose
Level 1
Level 1
In response to rhermes

‎05-26-2010 08:23 PM

Hi,

Both IPS are configured inline interface pair mode and all the ports are access ports. To load balance between the IPS I have configure Port Channels  between 1/4/47, 2/4/47 and 1/4/48, 2/4/48.

0 Helpful

Scott Fringer
Cisco Employee
Cisco Employee
In response to Jaison Jose

‎05-27-2010 05:28 AM

Jaison;

  Depending on how the load-balancing is operating, and having the sensors operating in inline mode could cause potential issues due to the functionality provided by the IPS normalizer engine.  This engine attempts to correct traffic that is potentially evading IPS detection (sending traffic out of order, heavily fragmented, etc).  If the single sensor cannot see the entire conversation, the normalizer may begin denying packets for these flows.  You can determine if the normalizer is actively detecting issues by looking for high signature counts for signatures in the range 1300-1399.  The easiest method to see this is to issue "sh stat virt | inc Sig" (this is case sensitive).

Scott

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card