Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our beta test area to get started.

New Member

Switch config for Inline Interface Pair

Hello all

Am having a doubt here, so need your help.

I want to configure an IPS in inline interface mode. What I have is

internet rtr---->Switch----->outside intrface of ASA

Here, I want to monitor/inspect the traffic coming from the internet.

I am planning to connect the inline interfaces to the same switch.

What am not sure is what will be the switchport configuration for the inline interface pair?

Also, How the switch will forward traffic to the IPS and then IPS to the ASA?

Thanks in advance

..Abhi

  • Intrusion Prevention Systems/IDS
Everyone's tags (1)
5 REPLIES
New Member

Switch config for Inline Interface Pair

One more thing, there are no VLANs configured on the switch. Everything is in vlan1 by default.

Gold

Switch config for Inline Interface Pair

What are you using for an IPS, an appliance? an IOS IPS in the Internet router or the ASA?

If you want to feed the output of your IPS into the same switch as the input, you'll need to create two separate VLANS, one for the switch interfaces that are outside your IPS and the other for the interfaces that are inside your IPS.

interface Gi0/1

  switchport access vlan 10

switchport mode access

switchport nonegotiate

interface Gi0/5

  switchport access vlan 20

switchport mode access

switchport nonegotiate

interface vlan 10

interface vlan 20

- Bob

New Member

Switch config for Inline Interface Pair

Thank you so much for the reply Bob

I am using an IPS appliance here.

So both the interfaces of the inline pair will be in different vlans.

As i understand now, traffic enters from internet to the switch on port configured in vlan1(default).

The default gateway on the switch has to be the virtual interface IP of the inside of my IPS?

Please correct if I am wrong..

Gold

Switch config for Inline Interface Pair

Your IPS appliance will bridge the traffic between the two VLANS.

Assign your VLAN ports like this:

VLAN 10

internet connection

Outside interface of IPS sensor

VLAN 20

Inside connection to your network

Inside interface of your IPS sensor

PLEASE put your sensor on the inside of your firewall.

- Bob

Switch config for Inline Interface Pair

Hello Abhishek,

just to add in this:

Cisco Intrusion Prevention System interfaces configuration guide:

http://www.cisco.com/c/en/us/td/docs/security/ips/7-0/configuration/guide/cli/cliguide7/cli_interfaces.html#wp1031719

773
Views
2
Helpful
5
Replies