cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1799
Views
2
Helpful
5
Replies

Switch config for Inline Interface Pair

engineer467
Level 1
Level 1

Hello all

Am having a doubt here, so need your help.

I want to configure an IPS in inline interface mode. What I have is

internet rtr---->Switch----->outside intrface of ASA

Here, I want to monitor/inspect the traffic coming from the internet.

I am planning to connect the inline interfaces to the same switch.

What am not sure is what will be the switchport configuration for the inline interface pair?

Also, How the switch will forward traffic to the IPS and then IPS to the ASA?

Thanks in advance

..Abhi

5 Replies 5

engineer467
Level 1
Level 1

One more thing, there are no VLANs configured on the switch. Everything is in vlan1 by default.

rhermes
Level 7
Level 7

What are you using for an IPS, an appliance? an IOS IPS in the Internet router or the ASA?

If you want to feed the output of your IPS into the same switch as the input, you'll need to create two separate VLANS, one for the switch interfaces that are outside your IPS and the other for the interfaces that are inside your IPS.

interface Gi0/1

  switchport access vlan 10

switchport mode access

switchport nonegotiate

interface Gi0/5

  switchport access vlan 20

switchport mode access

switchport nonegotiate

interface vlan 10

interface vlan 20

- Bob

Thank you so much for the reply Bob

I am using an IPS appliance here.

So both the interfaces of the inline pair will be in different vlans.

As i understand now, traffic enters from internet to the switch on port configured in vlan1(default).

The default gateway on the switch has to be the virtual interface IP of the inside of my IPS?

Please correct if I am wrong..

Your IPS appliance will bridge the traffic between the two VLANS.

Assign your VLAN ports like this:

VLAN 10

internet connection

Outside interface of IPS sensor

VLAN 20

Inside connection to your network

Inside interface of your IPS sensor

PLEASE put your sensor on the inside of your firewall.

- Bob

Naveen Kumar
Level 4
Level 4

Hello Abhishek,

just to add in this:

Cisco Intrusion Prevention System interfaces configuration guide:

http://www.cisco.com/c/en/us/td/docs/security/ips/7-0/configuration/guide/cli/cliguide7/cli_interfaces.html#wp1031719

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: