Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPS 4240 inline pair

Hi All,

Can I use inline pair in IPS as trunk? The IPS is connected to ASA in one end and connected to switch to another end. I'd like to use inline pair but I am not sure if it can pass all vlan traffic.

thanks

Alex

6 REPLIES
Gold

Re: IPS 4240 inline pair

yes, they're called in-line vlan pairs.

New Member

Re: IPS 4240 inline pair

Thanks rhermes,

but in one end, there is ASA with eight subinterface with eight vlans, and the other end is the switch with trunk port.

In IPS, if I configure inline vlan pair, it is only allow me to bridge two vlan not eight vlan.

if you have any design suggestion how to connect IPS between ASA and switch with 8 vlan, that would be very appreciated.

thanks

Alex

Gold

Re: IPS 4240 inline pair

The in-line mode of the IPS sensors allows you to specify multiple in-line VLAN pairs.

Re: IPS 4240 inline pair

I would suggest to use atleast 2 physical interface on the IPS device for the 8 vlans you have.

In inline VLAN pair, the IPS interface is doing the VLAN translation.

So, only allow the specific vlans on the trunk port, something like this:-

int f0/20

switchport trunk encapsulation dot1

switchport mode trunk

switchport trunk allowed vlan 11,12,13,14

int f0/21

switchport trunk encapsulation dot1

switchport mode trunk

switchport trunk allowed vlan 111,112,113,114

connect f0/10 and f0/20 to different interfaces on the IPS.

On the IPS, create vlan pairs, for vlan 11,12,13,14 and vlans 111,112,113,114.

Hope this helps

New Member

Re: IPS 4240 inline pair

thanks for your very useful info.

I just found that I can simply connect IPS between ASA and switch and configure inline physical pair without to define vlan pair. in this situation, IPS inspect all traffic and ports in IPS act like trunk and it doesn't care about vlan ID.

am I right? I hope I am.

thanks

Alex

Re: IPS 4240 inline pair

yes you are right, if its inline physical interface pair, then you don't have to care about the vlans.

352
Views
0
Helpful
6
Replies
CreatePlease to create content