I have a question, I have a 4270 working with VLAN PAIRs.
In an interface I have the VLAN pair 120-121 and in another interface the same pair 120-121 When I add that pair the IPS gives an error message saying that I already have that VLAN Pair however it allows the creation of the PAIR. I can even see traffic passing through the interfaces.
1 interface has so much traffic however the another one only a few traffic.
I know that I cannot have the same vlan twice in the same interface but I am using 2 different interfaces with the same vlan.
The IPS should be able to handle that right?
I have 2 Nexus doing load balancing, I connected them both to the IPS (1 interface per Nexus) so I can inspect all the traffic.
Please let me know if I am doing the thing wrong.
a. Vlan pair can be thought as IPS on a stick (analogous to router on a stick)
One physical interface and multiple subinterfaces.
Each subinterface is associated with a pair of vlans.
b. On a given physical interface, you cannot associate the same vlan pair on more than one subinterface.
c. You can associate the same vlan pair assigned to a subinterface on a separate physical interface.
Correct, you will see an error message that warns you, that you are using same vlans for multiple interfaces.
But this should be fine. You will he having same Vlans say x & y being bridged on more that one physical interface on the IPS.
d. In terms of load-balancing, understand that IPS will inspect whatever traffic it recieves on the physical interfaces.
Hence if you have 2 physical interfaces say 1 & 2 each having a subinterface 1 and same vlans x & y associated,
then its the job of the Nexus to make sure equal amount traffic actually goes into interface 1 & 2.
So traffic allocation on each ips interface depends on load-balacing done on nexus.
e. Like with every network design issue, always test it before putting it under production, to check for any unexpected issues (for e.g spanning-tree issues due to typical flow of traffic etc).
TAC Security Solutions