VLAN PAIRS Bypass or failover??

Unanswered Question
Jun 7th, 2010
User Badges:
  • Bronze, 100 points or more

Hello Experts,

I´m implementing INLINE VLAN PAIRS in two 4260 and a 4270.

I know that the BYPASS is a software failover. But what is going to happen if the hardware fails????

Who is going to do the VLAN re-tagging???

What is going to happen with that traffic?

Is there are way to configure the switch to re-direct the traffic if the IPS is DOWN. of a way to do the re-tag in the switch?

I would really appreciate your comments and suggestions.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rhermes Mon, 06/07/2010 - 10:00
User Badges:
  • Gold, 750 points or more

You need to perform the failopen function outside the IPS sensor.

Use an external (to the sensor) switch, create two VLANS, connect them together via the sensor (each VALN to sensor connection is a Trunk with one one VLAN in it). Then create a second connection via a patch cable betwen the two VLANS, give it a higher STP metric, enable Spanning tree on these 4 ports. The bypass cable will only run traffic if the sensor stops passing BPDUs.

- Bob

Diego Armando C... Mon, 06/07/2010 - 10:28
User Badges:
  • Bronze, 100 points or more

Hi rhermes,

I understood the STP part but not the connections part. I´m using only 1 interface to do the VLAN PAIR, the retag is being done in an interface.(and 1 interface in the switch). where should I connect the 4 ports.

Thank you for your time.

rhermes Mon, 06/07/2010 - 11:31
User Badges:
  • Gold, 750 points or more

If you're only using one interface on the sensor, then you only need three switch ports; one trunking both VLANS to the sensor and one port in each VLAN as a regular (non-trunked) access port connected together via a patch cable.

- Bob

Diego Armando C... Tue, 06/08/2010 - 10:57
User Badges:
  • Bronze, 100 points or more


last question. Who is going to make the vlan re-tagging? will VLAN 1 be able to talk to VLAN2 ?

Panos Kampanakis Tue, 06/08/2010 - 16:58
User Badges:
  • Cisco Employee,

The sensor knows the vlan tags, so he will change the vlan tags when bridging the vlans.

I hope it makes sense.


rhermes Tue, 06/08/2010 - 22:17
User Badges:
  • Gold, 750 points or more

When traffic flow through the IPS Sensor, the VLAN pair in the sensor will re-tag the traffic on the trunk port..

When the sensor stops passing layer 2 frames, Spanning trree Protocol will unblock the failover cable port and allow traffic to pass between VLAN 1 and VLAN2 untaged (these poerts are not trunks).

- Bob


This Discussion