I am not sure if this question should be asked on the ids forum or the switching forum. Please let me know if it is the wrong place to be asking.
Could someone perhaps help? It the first time we are configuring this setup so we need some help in configuring the SX interface on a 6500 switch.
We would like to connect our 4250-SX ips sensor (5.1) for inline vlan pair mode to a 6500 catalyst running ios software. The switch has a fiber SC type connection. We would like to find a document that best describes how the interface on the switch should be configured for successful operation for this solution. Can someone point us to this document? We have been told that the port will need to be configured as an 802.1q trunk. Is this correct?
We would also like to filter all unneeded vlans from propagating on to that trunk. What is the best way to do this?
Whether the port is fiber or copper won't really matter much.
The first step is determine between which 2 vlans you will want to do inline vlan pair monitoring.
The most direct solution is to pick one existing vlan, and create one brand new vlan.
Now trunk both of these vlans on the switch port where the sensor is connected:
Here is a basic example configuration for that switch port:
switchport access vlan 1
switchport trunk native vlan 1
switchport trunk allowed vlan 100-101
switchport mode trunk
no ip address
Vlan 100 was the existing vlan, and vlan 101 was the newly created vlan.
The vlan 1 settings were just to ensure the port was set back to the default of vlan 1 for the access vlan; the vlan 1 setting is not used in the vlan pairing and is not in the list of allowed vlans for the trunk port.
NOTE: You will see that the mode must be forced to trunk. Also be aware that depending on the port you may also have to force the trunk type to 802.1q:
"switchport trunk encapsulation dot1q"
Now on the sensor itself you will want to create an inline vlan pair on that SX interface, and pair vlan 100 with vlan 101.
Now remember that vlan 101 was a new vlan and is empty. So right the now the sensor is doing inline monitoring between that empty vlan and the rest of your network. The trick now is to move Some of the ports from the original vlan into that new vlan.
If this is your first time setting this up, then I suggest you try this with a very simple network with 3 pcs that all talk to each other on the same subnet. All 3 pcs would be in the same vlan to begin with. After the steps above are done to create the new vlan and create the inline vlan pair on the sensor, the next step is to move pcs into the other vlan. So for one PC change it's switch port configuration to move just that one PC from the original vlan (100) to the new vlan (101).
Wait a minute for spanning-tree to run.
Now ensure that the PCs from the orginal vlan can communicate to the PC in that new vlan.
NOTE: Both vlans are for the same IP subnet. The sensor does not IP route between the subnets, it just switches or brides packets between the 2 subnets. So the IPs on the PCs do not change as they get moved to the other vlan.
If you run some tests you will see that the sensor will see all traffic between the PC in the new vlan talking to either of the PCs in the original vlan. But you will also find that if the 2 PCs in the original vlan talk to each other, the sensor is unlikely to see that traffic (on occasion it will, but the sensor is just receiving a copy during broadcast and multicast situations).
Typical deployments will have something like a firewall in the original vlan, and the Internal network machines moved to the new vlan. Or if the switch itself is routing, then the switch will have it's ip address on the original vlan, and all of the other machines will be moved to the new vlan.
You also have the option of creating additional inline vlan pairs. To do this just create a new vlan for every original vlan where you want to add inline vlan pair monitoring.
Then just add those vlans to the trunk allowed vlan command and create the pair in the sensor configuration.
So let's say you also wanted to pair vlans 104 and 105 together. Then the command would look like:
switchport trunk allowed vlan 100-101,104-105
Your question about how do you keep the unneeded vlans from propogating is answered by that same command above. The "allowed vlan" list will restrict the trunk to only carrying those vlans listed.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...