Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

IPS inline interface port & Switch trunk port

Hello ,

Is it possible to configure the IPS like the topology below ? SW1's and SW2's connection ports to the IPS is in trunk mode. I would like to configure the IPS in inline interface pairing mode. ( not vlan pairing mode )

SW1-----------IPS-----------SW2

Kind Regards.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: IPS inline interface port & Switch trunk port

Yes, this method is fully supported.

If you want to monitor all of the vlans with a single virtual sensor, then assign the inline interface pair to the virtual sensor.

If you want to monitor vlans with different virtual sensors, then we support vlan groups on this inline interface pair.

Don't confuse "inline vlan pairs" with "inline vlan groups on an inline interface pair"

The "inline vlan pair" will pair 2 vlans on the same interface. When a packet comes into the sensor it will be sent back out the same interface with it's vlan header changed.

The "vlan groups" on an inline interface pair do NOT change vlan headers.

They are just used for grouping vlans together so that the group of vlans can then be assigned to a specific virtual sensor.

So you might take one group of vlans for your employees desktop network and assign them to vs0, and take a second group of vlans for your DMZ and assign them to vs1.

You can place a single vlan within each vlan group, or you can place multiple vlans within each vlan group.

But it really only makes sense to have 4 vlan groups because you only have 4 virtual sensors on most devices (some like the 4215 only have 1 virutal sensor so you can't do vlan groups on the 4215).

I would also recommend you modify your virtual sensor and set the Inline TCP Session Tracking mode to "Interface and Vlan". This way the sensor will separately monitor connections on each vlan. This is necessary if a router may route traffic between multiple vlans. Without this setting the sensor will become confused if it sees the same connection on multiple vlans.

7 REPLIES
Cisco Employee

Re: IPS inline interface port & Switch trunk port

Yes, this method is fully supported.

If you want to monitor all of the vlans with a single virtual sensor, then assign the inline interface pair to the virtual sensor.

If you want to monitor vlans with different virtual sensors, then we support vlan groups on this inline interface pair.

Don't confuse "inline vlan pairs" with "inline vlan groups on an inline interface pair"

The "inline vlan pair" will pair 2 vlans on the same interface. When a packet comes into the sensor it will be sent back out the same interface with it's vlan header changed.

The "vlan groups" on an inline interface pair do NOT change vlan headers.

They are just used for grouping vlans together so that the group of vlans can then be assigned to a specific virtual sensor.

So you might take one group of vlans for your employees desktop network and assign them to vs0, and take a second group of vlans for your DMZ and assign them to vs1.

You can place a single vlan within each vlan group, or you can place multiple vlans within each vlan group.

But it really only makes sense to have 4 vlan groups because you only have 4 virtual sensors on most devices (some like the 4215 only have 1 virutal sensor so you can't do vlan groups on the 4215).

I would also recommend you modify your virtual sensor and set the Inline TCP Session Tracking mode to "Interface and Vlan". This way the sensor will separately monitor connections on each vlan. This is necessary if a router may route traffic between multiple vlans. Without this setting the sensor will become confused if it sees the same connection on multiple vlans.

Community Member

Re: IPS inline interface port & Switch trunk port

Thank you very much for this informational message. Kind Regards...

Community Member

Re: IPS inline interface port & Switch trunk port

We have an IPS-4260 that was are doing testing with. Right now we have an inline pair which sits between a switch (2960) and router (2811).

In our testing, if we try a ping sweep from our production vlan into this test environment, no event shows up in event monitor. However, if I run a ping sweep from another VLAN on our production network, that triggers an event. Also, we have a host inside our test environment. If i do a ping sweep from that host into and network on our production network, that triggers an event on the IPS.

I changed the "Inline TCP Session" from virtual sensor to interface and vlan", and that did not make a difference.

Community Member

Re: IPS inline interface port & Switch trunk port

Question regarding the above.

If the link described above includes a native vlan that is allowed to trunk, will the "default vlan" setting need to be modified on the IPS? Also, will the alerts generated in this configuration allow the analyst to see vlan tags in the events.

My desire would be to use inline interface pairing mode and not vlan groups. Many thanks.

Cisco Employee

Re: IPS inline interface port & Switch trunk port

If you intend to monitor all vlans on the trunk using a single virtual sensor, then you do Not need to modify the "default-vlan" setting of the ports.

If, on the other hand, you intend to monitor some vlans in a different virtual sensor then you will be subdiving the inline interface pair into vlan groups.

When you use vlan groups, then it is a good idea to go ahead and configure the "default-vlan" setting. This way that vlan number of your "default-vlan" can then be specifically configured into a group.

By default the "default-vlan" setting is set to Zero. The Zero vlan can not be placed in a vlan group, so to put it into a vlan group you need real vlan number set as the "default-vlan".

Since you won't be using vlan groups, then you can just leave "defaul-vlan" set to the default Zero.

As for the alerts, if a packet has an 802.1q header then any alerts triggered by the packet will contain the same vlan number as the packet. This is done regardless of whether or not vlan groups are being used.

If a packet does NOT have an 802.1q header (because they are on the Native Vlan), then the alert will contain Zero as the vlan number.

Alerts that are from multiple packets or trigger from lack of packets (like flood sigs or anomaly sigs), then the alert will contain Zero as the vlan number.

Community Member

Re: IPS inline interface port & Switch trunk port

Thank you very much for your response above.

Does modifying the 'default vlan' setting on an interface allow you to have the native vlan number appear in any alerts fired on that interface.

In this case we know the native vlan number, and then modify the default vlan setting, so that any untagged frames' "vlan field" now contains that specified number?

Cisco Employee

Re: IPS inline interface port & Switch trunk port

It was supposed to, but seomtimes had problems.

Here is some of what I remember:

If you used a "default-vlan" added that vlan into a vlan group and added the vlan group to a virtual sensor, then it would show up in alerts.

If you used a "default-vlan" but did not use vlan-groups, then it sometimes would and sometimes would not show up in the alert.

I think that you may have had to configure the default-vlan on the 2 interfaces before combining them into an InLine Pair to get it to work right.

1095
Views
5
Helpful
7
Replies
CreatePlease to create content