Help with inline VLAN Pair and switch configuration
I'm new to IPS and IDS in general, but I have an IPS-4255 and a couple of Catalyst 2900 switches to experiment with. I'm currently trying to enable an Inline VLAN Pair configuration on the IPS and have a simple setup.
SW1 and SW2 have vlans 100 and 200 configured. PC1 and PC2 are on the same IP range (no routing). PC1 on vlan 100 connects to Sw1. PC2 on vlan 200 connects to SW2. The IPS connects to a SW2 trunking port, and SW1 and SW2 are connected together on another trunking port.
I know that my trunking is working because PC1 and PC2 can ping each other whenever they are on the same vlan of either switch. But, they can't ping when on the separate vlans.
From what I've read, the IPS with an Inline VLAN Pair acts as a bridge between the two vlans and should forward the traffic if it passes inspection. However, the IPS does not appear to see any traffic at all.
My IPS is configured with inline VLAN pair 100->200 and associated to vs0.
Have I missed something in my config somewhere? Or am I misunderstanding how inline VLAN Pairs are supposed to work?
Below are my configs for the switches and the IPS.
Re: Help with inline VLAN Pair and switch configuration
It has been awhile since I've dealt with a 2900 switch to I am just trying to guess at what may be wrong with your setup.
I noticed that neither of your trunk port configuration are specifically stating which vlans are allowed on the trunks.
It is possible that for the trunk between the 2 switches there may be some protocol negotiation so the switches can determine which vlans to trunk, BUT no such negotiation will happen with the sensor. If I remember right you will need to specifically state which vlans the trunk to the sensor should carry. If I remember right the commmand would be something like:
switchport trunk allowed-vlan 100,200
You will want to find the show command on your switch that will show you which vlans are actually being trunked by the port. It might be something like "show switchport trunk"
And you will want to verify that the switch is actually trunking vlans 100 and 200 to your sensor.
On your sensor you will want to execute "show interfaces" and look at the statistics for Gig0/0 to see if it is receiving packets on vlan 100 and 200.
You can also run "packet display GigabitEthernet0/0" to see if any packets are making it to your sensor.
You will also want to check Link status and make sure your sensor is linking up properly with your switch. A common mistake is to connect the wrong ports, as some sensors do not have the port numbers clearly marked.
NOTE: If the above doesn't help, then take the additional step of eliminating the second switch. Attach both pcs to the same SW2 switch (1 in each vlan). The second switch isn't necessary to test the inline vlan pair functionality. Connecting both PCs to the same switch will help eliminate any possibility of misconfiguration between the 2 switches.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...