<p>Is it possible to connect IPS in inline VLAN pair as shown in figure considuring redumdancy?if possible how should i connect physically?If not please give me an alternate solution.Thanks in advance.</p>
Inline Vlan Pairs are a pair of vlans on a single interface of the sensor. You can NOT "pair" vlans across 2 or more interfaces of the sensor.
Now you CAN pair 2 interfaces of the sensor to create an Inline Interface Pair. And that Inline Interface Pair can be connected to trunk ports from 2 devices. The vlan traffic will pass through the sensor between the devices. The vlan will NOT be modified as it passes through the sensor. The sensor in effect ignores the vlan header as it analyzes the underlying packet.
This is different from Inline Vlan Pairs because in Inline Vlan Pairs the vlan header is rewritten to send the packet back out on a different vlan.
So what would be the alternate solution.
If you want to use Inline Vlan Pairs, then connect your 2811 routers directly up to your switches (each router connected to both switches).
Your 4240s should each be connected to both switches.
Let's assume that the Routers will be trunked to the switches and routing between 3 vlans: 10,11 and 12.
The switches should correspondingly have vlans 10,11, and 12 carried over a trunk port to each router.
BUT no other machines should be connected to vlans 10,11, or 12.
Instead create vlans 110,111, and 112.
All other machines that would have originally been on vlans 10, 11, and 12; should now instead be on 110, 111, and 112.
On each sensor interface you create 2 inline vlan pairs:
pair1: 10, 110
pair2: 11, 111
pair3: 12, 112
(NOTE: Each sensor winds up with 6 pairs, 3 pairs for each switch connection).
Now tweak spanning tree so that spanning tree always favors the interfaces going to the left sensor. (BOTH switches have to prefer the left sensor.)
This way the right sensor only sees traffic if the left sensor goes down.
Another method would be to use Inline Interface Pairs instead of Inline Vlan Pairs.
In this method you would create 2 Inline Interface Pairs on each sensor.
One pair will connect the left 2811 and left switch, and the other pair will connect the right 2811 with the right switch. (the same is done for both sensors).
Regardless of which methd above that you choose to use, you will need to configure the virtual sensor to use "inline-TCP-session-tracking-mode vlan-only"
When dealing with inline vlan pairs here are some basic things to keep in mind:
1) A single interface can have up to around 250 inline vlan pairs.
2) The maximum number of vlan pairs for a sensor would be around 250 times the number of monitoring interfaces. So an IPS-4240 with 4 monitoring interfaces could have around 1,000 inline vlan pairs. (Of course I don't recommend trying to actually use that many.)
3) Adding inline vlan pairs does NOT increase the total performance capability of the sensor. The sensor's performance is independant of the number of inline vlan pairs. It is the aggregate of traffic across all of the inline vlan pairs that must fit within the sensor's performance capability.
4) Most sensors only support 4 virtual sensors (some lower end sensors only support a single virtual sensor). So no matter how many inline vlan pairs you have, you can only separate them across these 4 virtual sensors. Which usually means you have to monitor multiple inline vlan pairs in a single virtual sensor.
5) A vlan can belong to only 1 inline vlan pair PER INTERFACE. So if on Ge0/0 you paired vlan 10 with vlan 11. Then you can NOT create a vlan 10 and vlan 12 pair on the SAME Ge0/0. BUT you can create a vlan 10 and vlan 11 pair (or a vlan 10 and vlan 12 pair) on another interface Ge0/1.
So a vlan can belong to only 1 pair per interface. But it can be paired with the same vlan on another interface, or paired with a different vlan on another interface.
In my examples from before you would create 3 pairs of vlans on one interface connected to the left switch, and then create the SAME 3 pairs for the interface connected to the right switch.
6) If you will be creating the same vlan pairs on multiple interfaces, then you want to be sure to use the same subinterface numbers for the pairs on the 2 interfaces.
So if vlan pair 10 and 110 is subinterface 2 on Ge0/0, it should also be subinterface 2 on Ge0/1.
7) If you will be monitoring multiple inline vlan pairs in the same virtual sensor, then it is best to set the inline-TCP-session-tracking mode to vlan-only. The sensor will combine traffic from vlan pair 10 and 110 from Ge0/0 with the same vlan pair 10 and 110 from Ge0/1 when monitoring TCP connections, but will not try to mix in traffic from other pairs like vlan pair 11 and 111.
This is necessary because in many cases you might wind up with a client on vlan 110 trying to talk with a server on vlan 111. The client traffic comes in vlan 110, gets monitored by the sensor, and gets paired with vlan 10 to go out to the router. It then comes back from the router on vlan 11, gets monitored by the sensor again, and gets paired with vlan 111 to go out to the server. And vice versa for server response traffic.
With the default inline-TCP-session-tracking mode the sensor will try to combine the traffic from the 2 inline vlan pairs. The sensors winds up seeing the same packet twice (once in each pair), and if tries to combine these duplicate packets into it's view of a single TCP connection, the sensor winds up getting confused. Because though it is the same packet as far as content, the packet header gets modified by the router. These changes in the packet header are what causes the sensor confusion and can look like an attack.
So by setting inline-TCP-session-tracking mode to vlan-only (instead of the default), the sensor now treats this single TCP connection as if it were 2 connections. It tracks one of them on vlan 10 and 110 pair, and treats it as a second connection on the vlan 11 and 111 pair. This avoids the confusion, and the sensor is able to properly track and monitor the traffic.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :