cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1179
Views
5
Helpful
2
Replies

IPS 6, VLAN group in inline mode

mlopacinski
Level 1
Level 1

Hello

Could anybody explain me why i can not launch vlan group in inline mode with IDSM-2 card ?

I have appliance (4235) and i could plug it beetween switches (on trunks) and use VLAN groups to make fully virtualised IPS. Why i can not do the same with IDSM-2 card ?

Is it true that on IDSM-2 card in inline mode i can only inspect traffic from one specified VLAN to another ? (i can not ispect traffic within vlan and i can not use more than 4 virtual sensors, because i have only 8 ports available and each port can only ispect traffic between two specified vlans ?)

Thanx

2 Replies 2

marcabal
Cisco Employee
Cisco Employee

Q: Could anybody explain me why i can not launch vlan group in inline mode with IDSM-2 card ?

I have appliance (4235) and i could plug it beetween switches (on trunks) and use VLAN groups to make fully virtualised IPS. Why i can not do the same with IDSM-2 card ?

A: When plugging an Appliance between 2 switches, the appliance uses InLine Interface Pair mode. Notice that I don't just call it InLine, but instead it is InLine Interfac Pair mode. This is because there are 2 modes the appliances can run in for InLine monitoring. They run in InLine Interface Pair mode as well as InLine Vlan Pair mode.

With InLine Interface Pair mode you pair 2 physical interfaces. When in this mode any traffic received on the first interface will be analyzed and transmitted on the second interface (assuming it was not an attack denied by the sensor). Similarly packets received on the second will be analyzed and transmitted on the first interface. The sensor does not change the vlan headers of the packets as they pass through the sensor. So the sensor can be conneted between 2 switches on trunk ports, and then you can separate the vlans into 4 groups for monitoring by 4 different virtual sensors.

BUT this connecting of 2 trunk ports will ONLY work if the InLine Interface Pair connects 2 separate devices. If you plug both interfaces into the same switch, then the ports can NOT be trunk ports, and must instead be Access ports. If both ports belong to the same vlan (or same set of vlans on both trunk ports), then the switch detects that it is just a loop back into itself. Using spanning-tree. the switch knows that any packet sent out one interface will come back to the switch on the second interface on the SAME vlan. This is a packet loop that spanning-tree will detect and so spanning-tree intentionaly blocks one of the interfaces, and the intended traffic will never be sent to the sensor. When the packets enter the switch they cna be sent directly to the destination withOUT having to go through the sensor.

The only way to get InLine Interface Pairing to work when both interface are conneted to the same switch is to use Access ports on the switch. Each interface belongs to a different vlan. Traffic from vlan A will be sent in one interface and come back from the other interface into vlan B. This is Not a packet loop as the packets come back in one a different vlan. This works just fine, but as you can see you are only monitoring traffic from one vlan to another. And in fact in this type of deployemnt the packets are not 802.1q tagged and the sensor does not even know they are from a vlan.

So with InLine Interface Pairs connecting 2 access ports on the same switch the Vlan Group feature does not work since none of the packets are 802.1q tagged. The InLine Interface Pairs separating traffic by Vlan Groups will ONLY work if the sensor is between 2 devices.

The IDSM-2 InLine Interface Pair features is limited to being within the one device (the cat 6k it is installed in) and can not be deployed between devices. So it can not make use of Vlan Groups. Appliances can be delpoyed between 2 switches, so they can make use of Vlan Groups where an IDSM-2 can not.

HOWEVER, Remember that I said that there are 2 types of InLine modes. The second type is InLine Vlan Pair. Instead of using 2 interfaces for the pair; you would pair 2 Vlans on a single interface. You take a single interface and plug it into the switch. You make that port a trunk port carrying at least 2 vlans. And in the IPS configuration you pair 2 vlans together. Traffic coming in vlan A goes out vlan B and vice versa. This is similar to InLine Interface Pair with one interface plugged into a vlan A access port, and the second interface plugged into a vlan B access port, but instead of using 2 interfaces you can do it with a single interface configured as a trunk port for both vlans. In addition the sensor allows up to 255 InLine Vlan Pairs on each interface. That means with the IDSM-2 which has 2 monitoring interfaces (gig0/7 data-port 1, and gig0/8 data-port 2) that you could have 510 InLine Vlan Pairs on the IDSM-2.

So you can not have Vlan Groups on an InLine Interface Pair in an IDSM-2, but instead you can have 510 InLine Vlan Pairs on an IDSM-2 and spread those InLine Vlan Pairs across the 4 virtual sensors.

NOTE: InLine Vlan Pairing works with Cat OS, but if running Native IOS on the switch it requires 12.2(18)SXF4 or later version on the 12.2SX train. InLine Vlan Pairing is not currently supported on the 12.2SR train for Native IOS.

Q: Is it true that on IDSM-2 card in inline mode i can only inspect traffic from one specified VLAN to another ? (i can not ispect traffic within vlan and i can not use more than 4 virtual sensors, because i have only 8 ports available and each port can only ispect traffic between two specified vlans ?)

A: For InLine Vlan Pair mode (and InLine Interface Pair mode) the IDSM-2 can only inspect packets that get passed between 2 vlans. You can not InLine monitor packets between 2 machines within the same vlan.

Appliances have a similar limitation in that they can not do InLine monitoring between 2 machines within the same vlan within the same switch. (The "within the same switch" is implied with the IDSM-2 because the IDSM-2 itself is inside the switch.)

With Promiscuous mode using Span or Vacl Capture, the IDSM-2 and Appliances are able to monitor traffic between 2 machines in the same vlan.

The 4 virtual sensor limit, however, is a completely separate limitation. The 4 virtaul sensor limit is a limit on the amount of memory available in the IDSM-2, and is independant of what type of monitoring or how many interfaces the sensor has.

And by the way the IDSM-2 only has 2 interfaces for monitoring (0/7 and 0/8). Interfaces 0/1 through 0/6 can Not beused for monitoring. Interfaces 0/3-0/6 are not hooked up. The IDSM-2 is based off a common hardware architecture used for other service modules. Other service modules make use of ports 03/-0/6, but the IDSM-2 does not.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: