Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
805
Views
0
Helpful
6
Replies

VLAN PAIRS Bypass or failover??

Diego Armando Cambronero Arias
Level 3
Level 3

‎06-07-2010 07:03 AM - edited ‎03-10-2019 05:01 AM

Hello Experts,

I´m implementing INLINE VLAN PAIRS in two 4260 and a 4270.

I know that the BYPASS is a software failover. But what is going to happen if the hardware fails????

Who is going to do the VLAN re-tagging???

What is going to happen with that traffic?

Is there are way to configure the switch to re-direct the traffic if the IPS is DOWN. of a way to do the re-tag in the switch?

I would really appreciate your comments and suggestions.

Labels:
0 Helpful
6 Replies 6

rhermes
Level 7
Level 7

‎06-07-2010 10:00 AM

You need to perform the failopen function outside the IPS sensor.

Use an external (to the sensor) switch, create two VLANS, connect them together via the sensor (each VALN to sensor connection is a Trunk with one one VLAN in it). Then create a second connection via a patch cable betwen the two VLANS, give it a higher STP metric, enable Spanning tree on these 4 ports. The bypass cable will only run traffic if the sensor stops passing BPDUs.

- Bob

0 Helpful

Diego Armando Cambronero Arias
Level 3
Level 3
In response to rhermes

‎06-07-2010 10:28 AM

Hi rhermes,

I understood the STP part but not the connections part. I´m using only 1 interface to do the VLAN PAIR, the retag is being done in an interface.(and 1 interface in the switch). where should I connect the 4 ports.

Thank you for your time.

0 Helpful

rhermes
Level 7
Level 7
In response to Diego Armando Cambronero Arias

‎06-07-2010 11:31 AM

If you're only using one interface on the sensor, then you only need three switch ports; one trunking both VLANS to the sensor and one port in each VLAN as a regular (non-trunked) access port connected together via a patch cable.

- Bob

0 Helpful

Diego Armando Cambronero Arias
Level 3
Level 3
In response to rhermes

‎06-08-2010 10:57 AM

Hello,

last question. Who is going to make the vlan re-tagging? will VLAN 1 be able to talk to VLAN2 ?

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to Diego Armando Cambronero Arias

‎06-08-2010 04:58 PM

The sensor knows the vlan tags, so he will change the vlan tags when bridging the vlans.

I hope it makes sense.

PK

0 Helpful

rhermes
Level 7
Level 7
In response to Diego Armando Cambronero Arias

‎06-08-2010 10:17 PM

When traffic flow through the IPS Sensor, the VLAN pair in the sensor will re-tag the traffic on the trunk port..

When the sensor stops passing layer 2 frames, Spanning trree Protocol will unblock the failover cable port and allow traffic to pass between VLAN 1 and VLAN2 untaged (these poerts are not trunks).

- Bob

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card