Thank you for your details explanation.

I have one more....regarding redudant pair of Pix-CoreRouter...can I create another inline-interface-pair and put it in different virutal sensor (vs1)? If something goes bad, another standby pair of pix-router will take traffic, and vs1 will inspect traffic in this case. It should not be any problem to implemet that?

Thanks

this is the answer that I am waiting for for last two weeks!! Thanks!

But, regarding the inline interface pair on same trunk interface.....can you help me with this configuration? For example, how can I implement this solution regarding pix-router configuration? I persume that I can create trunk port on a router and connect it to one IPS interface...and to create interafce-vlan-pair...?

We are using 4260 with additional power supply and 4GE NIC card with hardware bypass. I think this is enough to tell a client that it is safe to implement IPS...

Connecting an inline vlan pair to a "router" can cause confusion.

It all depends on what you mean by "router".

===========================================

If you mean "router" in the traditional sense where the device will IP route packets between 2 IP networks, then an inline vlan pair won't work for you.

Let's say for example that you have a router with 2 vlans configured. The router has an IP Address cojnfigured on the first vlan A, and also an IP Address on the second vlan B.

You create a trunk port on the router for the 2 vlans and connect it to the sensor.

In the sensor you then pair vlan A and vlan B.

Traffic will not pass.

The sensor in effect bridges the 2 vlans together. So the 2 vlans are a single IP network. So the router's IP Addresses on the 2 vlans would have to be on the same IP network. Most routers will not allow you to configure 2 interfaces with 2 IP Addresses within the same IP subnet. But even if it did let you, then there would be no reason for the router to ever send packets through the sensor.

Let's say the sensor is connected on Gig0/0 and you have 10.0.0.0 addresses on the 2 vlans of the router being trunked to the sensor on Gig0/0.

You also have the 11.0.0.0 network on router interface Gig1/1, and a 12.0.0. network on router interface Gig1/2.

If a host on the 11.0.0.0 network sends packets to a host on the 12.0.0.0 network then the packets enter Gig1/1 on the router and go out Gig1/2 without ever going through the sensor. The router directly routes the packets and never needs to send them through the sensor.

Only a few occasional broadcast packets may ever get sent through the sensor.

=======================================

Now, however, if you router device can have "virtual routers", then an inline vlan pair on the sensor could be usefull.

Using our example above with a 10.0.0.0 network on the 2 vlans on Gig0/0 connected to the sensor, a 11.0.0.0 network on Gig1/1, and a 12.0.0.0 network on Gig1/2, then you can get the packets to go through the sensor.

Configure 1 virtual router containing an 11.0.0.0 address on Gig1/1, and a 10.0.0.0 address on one of the 2 vlans on Gig0/0 going to the sensor.

Configure a 2nd virtual router containing a separate 10.0.0.0 address on the other of the 2 vlans on Gig0/0 connected to the sensor, and configure a 12.0.0.0 address on Gig1/2.

Now when a 11.0.0.0 host tries to send packets to a 12.0.0.0 host, the packet comes in on Gig1/1 but the router can not directly send the packet out of Gig1/2 because Gig1/1 and Gig1/2 are in separate virtual routers.

Instead because of it's routing tables (either through static routes, rip, eigrp, etc...) the first virtual router knows to send the packet out of it's vlan interface on Gig0/0 to the sensor.

The sensor monitors it and then sends it back on the other vlan of the inline vlan pair.

So it goes back to the router on Gig0/0 but this time on the other vlan that is part of the 2nd virtual router. And the 2nd virtual router sends it on to the end host.

The same then happens in reverse for packets from 12.0.0.0 hosts to 11.0.0.0 hosts.

So it is possible with 2 virtual routers.

BUT this is very confusing for most users, and is very rarely done in the field.

=====================================

HOWEVER, SEE THE NEXT POST FOR WHAT I THINK YOU MAY REALLY BE ASKING FOR.

What I think you are really asking about is not a "router" in the traditional sense, but instead a "hybrid" device that can do both routing AND switching. This is most of Cisco's catalyst switches as well Cisco's 7600 Router. It also works on many of Cisco's ISR Routers when running with a switchport card.

The inline vlan pairs were designed to work with switches, and so if you are talking about a "hybrid" device, then the sensor's inline vlan pair fucntionality should work well with the switching functionalit of the "hybrid" device.

In your scenario you would simply connect the "inside" interface of the Pix to a vlan A of the "hybrid" device.

Do NOT assign an IP Address in the "hybrid" device to vlan A.

So vlan A is solely an L2 Vlan on the "hybrid" device.

You then create a trunk port to the sensor that trunks both vlan A and vlan B.

On the sensor you create an inline vlan pair that pairs vlan A and vlan B.

And then on the "hybrid" device you now assign an IP Address to vlan B.

So vlan B is an L3 Vlan that the "hybrid" device can both switch and route on.

That IP Address on vlan B MUST be on the same IP Subnet as the "inside" interface of the Pix.

So both vlan A and vlan B are for the same single IP subnet, and the Pix has an address in that subnet and is connected in on vlan A while the "hybrid" device also has an address in that same subnet but os on vlan B. The sensor pairs the 2 vlans making the 2 vlans work as a single IP subnet.

As for configuration simply configure the "hybrid" device connected to the sensor as a trunk port forced to dot1q and always on (no negotiation).

In the sensor run through the "setup" command and choose the option under interface configuration to create an inline vlan pair (NOT an inline interface pair). Make up a number for the subinterface (each vlan pair is considered a subinterface) and assign vlan A and vlan B. Once created then modify virtual sensor vs0 and add in the inline vlan pair subinterface to the virtual sensor.

But understand that hardware bypass NICs will NOT do hardware bypass when using inline vlan pairs. Hardware bypass functionality only works when using inline vlan pairs.

The hardware bypass NICs CAN be configured and work for inline vlan pairs, and you still get Software ByPass for those pairs. It is just hardware bypass that won't work because it takes software to rewrite the vlan headers on the trunk port.

Hi,

Currently I am trying to set up an architecture including an IPS 4255, two ASA 5510 (in active/standby config) a layer3 switch (3560) and an internet router (2801). The aim is so setup 2 DMZ interfaces on the ASA and put the IPS in inline mode to scan the traffic from outside to inside, traffic between the 2 DMZ's and traffic between the DMZ's and inside.

What I did so far is to define vlans for each separate DMZ on the switch (layer 2) and configured subinterfaces on the ASA to create the DMZ and inside interfaces. The corresponding vlans are also defined on these subinterfaces. So far everything works fine. Now I want to place the IPS in inline mode using inline vlan pairs. However, it is not clear to me how the bridging will work. The ASA is connected through a trunk port to the switch and routing between the vlan's is done by the ASA. How can I connect the IPS so that the traffic between the vlans can be seen by the IPS?

My second question is how to intercept the traffic between the internet router and the outside interface of the ASA. Both will use the same IP subnet so creating different vlans in the same IP subnet is confusing.

My third question is about the inside interface. As explained above, the inside interface is also a subinterface on the ASA marked with a vlan. (I can change this ofcourse and use a dedicated interface for the inside on the ASA). Normally the inside interface would be connected to an inside switch. However, when I do that I am confused about how to scan that traffic with the IPS. Do you have any ideas on how to achieve this?

Thanks in advance.

Thanks in advance for the reply.

Hello,

I have a problem that i do not know how to handle. I have 100 Vlans and I would like to use the IPS to inspect traffic between these VLANS. I have 2 questions.

1)  In a Vlan pair only 2 vlans are paired so the traffic between this VLANS will be inspected. How can I inspect the traffic for example when vlan 15 comunicates with vlan 20, 50, 30, 80 etc...?

2) I know that the comunication between the Switch and the IPS should be through a Trunk port. What else do I have to configure in the L3switch?

I would really appreciate the help