IDSM-2 VLAN pairing

Is there any limitation for number of VLAN pairs with IDSM-2 module in 6500 to configure in in-line mode ?

Each interface has a limit of around 255 inline vlan pairs. The IDSM-2 has 2 monitoring interfaces, and so has an upport limit of around 510 inline vlan pairs.
I wouldn't recommend using near that many.
The biggest limiting factors you are going to face is performance, and number of virtual sensors.
From a performance perspective the IDSM-2 is limited to around 500 Mbps regardless of how many inline vlan pairs are used.
The IDSM-2 is also limited to only 4 virtual sensors. So you can only have 4 sets of signature settings, and 4 sets of filters. So the 510 inline vlan pairs would have to be grouped within these 4 virtual sensors.

Similar Messages

IDSM inline VLAN pairing

We have cat 6509 switch with FWSM, IDSM-2, NAM modules. Customer wants all the internal VLAN's to be monitored by IDSM in inline mode. Customer has around 400 VLANS in datacenter and wants to monitor all communications between VLAN's. How do I monitor all VLAN's when IDSM has 2 data ports and can only span 255 vlan groups per port?
Please suggest!
Vinod

I don't know if anyone is still watching this or not but that's a lot of VLANs to go through a (single?) IDSM. Technically you should be able to do it by splitting the VLAN pairs across the two data ports (i.e. vlan 2-200,1002-1200 on DP 1 and vlan 300-500,1300-1500 on DP 2). Considering each IDSM only has a throuput of 500MBps when deep scanning, you're going to potentially be limiting your throughput considerably if you do this.

How many in-line VLAN pairs are supported on IDSM-2

Hi Netpros,
I have a couple of questions and would appreciate your assistance.
1.- Is there any limitation regarding the number of in-line VLAN pairs which can be monitored by the IDSM-2. Using the below version in the cat 6K. I need to monitor about 10 VLAN pairs using in-line mode.
Core 1: Version 12.2(18)SXD7
   1 Centralized Forwarding Card WS-F6700-CFC       SAL1126STTL   3.1    Ok
2 Centralized Forwarding Card WS-F6700-CFC       SAL1121PELM   3.1    Ok
3 Centralized Forwarding Card WS-F6700-CFC       SAL1126SXJG   3.1    Ok
4 Centralized Forwarding Card WS-F6700-CFC       SAL1105FV2Z   2.1    Ok
5 Policy Feature Card 3       WS-F6K-PFC3B       SAD09460517   2.1    Ok
5 MSFC3 Daughterboard         WS-SUP720          SAD094608WX   2.3    Ok
6 Policy Feature Card 3       WS-F6K-PFC3B       SAL1005C5WC   2.2    Ok
6 MSFC3 Daughterboard         WS-SUP720          SAD091300RC   2.7    Ok
7 Centralized Forwarding Card WS-F6700-CFC       SAL1134YWA3   4.0    Ok
Core 2:   Version 12.2(18)SXF10
3 Centralized Forwarding Card WS-F6700-CFC       SAL1049A4BD 2.1    Ok
4 Centralized Forwarding Card WS-F6700-CFC       SAL1133XJKG 3.1    Ok
5 Policy Feature Card 3       WS-F6K-PFC3B       SAL1133XJZF 2.3    Ok
5 MSFC3 Daughterboard         WS-SUP720          SAL1133XMQF 3.0    Ok
9 Centralized Forwarding Card WS-SVC-WISM-1-K9-D SAD125003MC 2.1    Ok
2.- Do I need to create one virtual sensor per in-line VLAN pair ?
Your assistance would be much appreciated.

I don;t know if there is an actual number, but I thought I remember the simultaneous number of VLAN pairs supported by the IPS OS was quite high. I'm currently running IDSMs with well over 10 VLANs.
You do not need to create a separate virtual sensor for each VLAN (That would use up your system resources quite quickly, as it is you can expect to get about 6K connections/sec and about 250Mb/s of throughput in a single sensor instance). You would only want a separate virtual sensor if you needed wildly different signature policies on each VLAN that couldn't;t be otherwise handled by Event Action Filters and Overrides.
- Bob

IDSM-2 inline VLAN pair mode

My customer has voice, video and data VLAN's. Customer wants to inspect only inter VLAN traffic ONLY for data to be inspected by IDSM-2 inline while bypassing other VLAN traffic to FWSM and then to WAN.
Is that possible with Inline VLAN pair mode?
I read the cisco document which states as below
"You can configure IDSM-2 to simultaneously bridge up to 255 VLAN pairs on each data port. IDSM-2 replaces the VLAN ID field in the 802.1q header of each packet with the ID of the VLAN on which the packet is forwarded. It drops any packets received on VLANs that are not assigned to an inline VLAN pair."
The last statement says it will drop all other vlan traffic which are not assigned to any inline vlan pair?
Regards
Vinod

You can bypass analysis engine when inline bypass is activated , allowing traffic to flow through the inline interfaces and inline VLAN pairs without inspection. Inline bypass ensures that packets continue to flow through the sensor when the sensor processes are temporarily stopped for upgrades or when the sensor monitoring processes fail. But not always.

IDSM-2 inline vlan pair mode configs

Dear all,
1. Is it possible to associate 2 vlans( to be paired) on 2 different data ports on IDSM instead of pairing it on single data port on IDSM ?? & configuring these 2 ports on CAT6509 as access ports instead of trunk... Will this thing work ?
2. Since bypass mode is ON by default(AUTO) in IDSM-2 in-line vlan pair mode but when I am testing the bypass its not happening..can any pls. guide what could be the reason for this ?
Regards,
Akhtar

You can bypass analysis engine when inline bypass is activated , allowing traffic to flow through the inline interfaces and inline VLAN pairs without inspection. Inline bypass ensures that packets continue to flow through the sensor when the sensor processes are temporarily stopped for upgrades or when the sensor monitoring processes fail. But not always.

IDSM-2 Inline Vlan Pair - Duplicate Packets

Dear All
We have a setup where two IDSM-2 modules are ether-channeled together in a single 6513 Chassis.
There is an FWSM module also, which acts as the default gateway for all internal VLANs.
Problem: IDSM show stat virtual-sensor command is showing tons of 'Duplicate Packets'
show statistics virtual-sensor | inc Duplic
Duplicate Packets = 2950967
Inline TCP Tracking Mode: Interface and VLAN
Topology:
Assume Client VLAN = 10 and Server VLAN = 60
IPS Inline VLAN Pairs:
10 >> 110 (Client VLAN)
60 >> 160 (Server VLAN)
Client >> Server Flow: (Layer 2):
[ClientPC] >>>> Access Switch (VLAN 10) >>>> Core SW >>>> IDSM-2 (VLAN 10--110 Pair) >>>> Core Sw >>>> FWSM VLAN 110 >>>>
FWSM VLAN 160 >>>> Core Sw >>>> IDSM-2 (VLAN 160--60 Pair) >>>> Server Switch (VLAN 60) >>>> [Server]
Core Switch IPS Etherchannel Setup:
Group 5: IDSM(A) and IDSM(B) Port x/7
Group 6: IDSM(A) and IDSM(B) Port x/8
Some VLAN Pair(s) are on interface x/7 and others are on x/8
Because of the above issue, we see a lot of TCP normalization signatures being fired (as the IPS gets confused with duplicate packets seen for the same flow). Specially signatures 1330:12 :17 and :18.
It is also causing some applications to break (e.g. Veritas Netbackup 6.5). When I removed the DENY action from these signatures, our IPS started having stability issues (This could also be due to E3 upgrade)
Should we change the Tracking mode to 'VLAN' only, OR any other possible solution?. Should not the 'interface and vlan' setting be sufficient?.
Regards
Farrukh

This will take some traffic analysis to determine what is going wrong.
You might need to place a sniffer to watch the traffic on the client where the backup software is running at the same time that you capture the traffic on the sensor.
Look to see if there are any differences in the traffic.
Look for any anomalies in the traffic.
Look to see if maybe the backup software is not using a standard TCP connection (is it jumping the tcp sequence numbers in any abnormal way?)
You might also try some things on the sensor to determine if the sensor itself might have an issue.
Determine if the connction passes through 2 connections (inline vlan pairs) monitored by the sensor.
If you can, you might try removing both of the pairs from the virtual sensor. (don't delete the pairs, just remove them from the virtual sensor so they won't be analyzed)
And see if the backup works.
If it does then just add in one pair, and see if it keeps working.
If it has errors with just the one pair, then the problem is likely not because of the connection being monitored twice.
Something else must be weird about the connection.
If the problems are only seen when having both pairs in the same virtual sensor, then try placing the pairs in different virtual sensors and see if the problem goes away.
If the problem goes away when in different virtual sensors, then there may be an error in the inline tcp session tracking code that should track connections separately for each interface/vlan.

6509 - IDSM-2 inline vlan pair mode at layer 3

I am a little green, so be nice.
wondering how to get an IDSM-2 module inline on a 6509. my issue is that the traffic comes into the 6509 at layer3 (routed) so I'm not sure how the config works. (e.g. do I use a trunk, or do I have to add a in a hop somehow)
6509 conf snippet:
intrusion-detection module 7 data-port 1 trunk allowed-vlan 3127,3128
vlan 3127
name FIREWALL-IPS
vlan 3128
name FIREWALL
interface Port-channel2
description CAB2
ip address 10.30.2.2 255.255.255.0
ip helper-address 10.10.20.11
ip helper-address 10.10.20.13
ip helper-address 10.30.123.11
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
glbp 2 ip 10.30.2.1
glbp 2 timers msec 250 msec 750
glbp 2 priority 120
glbp 2 preempt delay minimum 60
glbp 2 load-balancing weighted
glbp 2 weighting track 89 decrement 50
glbp 2 weighting track 99 decrement 50
glbp 2 forwarder preempt delay minimum 60
interface GigabitEthernet1/9
description FIREWALL
switchport
switchport access vlan 3128
switchport mode access
no ip address
interface GigabitEthernet8/9
description CAB2SW1-Gi1/0/49
no ip address
channel-group 2 mode on
interface GigabitEthernet9/9
description CAB2SW1-Gi1/0/50
no ip address
channel-group 2 mode on
interface Vlan3128
description FIREWALL
ip address 10.30.128.2 255.255.255.0
no ip redirects
no ip unreachables
ip flow ingress
no ip igmp snooping
glbp 128 ip 10.30.128.1
glbp 128 timers msec 250 msec 750
glbp 128 priority 120
glbp 128 preempt delay minimum 60
glbp 128 load-balancing weighted
glbp 128 forwarder preempt delay minimum 60
IDSM-2 conf snippet:
service interface
physical-interfaces GigabitEthernet0/7
description data-port 1
subinterface-type inline-vlan-pair
subinterface 1
description FIREWALL VLAN3127<->VLAN3128
vlan1 3127
vlan2 3128

A colleague of mine explained how to do this and it mostly makes sense. My only confusion is that once you remove the access vlan (3128) from the interface that gets monitored and replace it with 3127, how does traffic still traverse the 3128 vlan? What is the mechanism that controls this, is it the command "intrusion-detection module 7 data-port 1 trunk allowed-vlan 3127,3128" ??

IDSM with inline pairs causing mac move

Hello,
I´ve just added the IDSM-2 blades on a 6500 and configured it but it did not work as I planned.
This picture is a little scale what I tried to do, actually I had more vlans on the inspection.
I have 2 cores and a portchannel trunk in between them and for redundancy I´m using HSRP as the config shows.
After I congfigured I´ve got these msgs and I could not figure out how to stop it:
Core1
%MAC_MOVE-SP-4-NOTIF: Host 001a.a2e4.e800 in vlan 6 is flapping between port Gi6/d1 and port Po1
%MAC_MOVE-SP-4-NOTIF: Host 001a.a2e4.e800 in vlan 7 is flapping between port Gi6/d1 and port Po1
MAC 001a.a2e4.e800 is from Core2
Core2
%MAC_MOVE-SP-4-NOTIF: Host 0022.557b.c340 in vlan 6 is flapping between port and port Po1
%MAC_MOVE-SP-4-NOTIF: Host 0022.557b.c340 in vlan 7 is flapping between port Po1 and port
Mac 0022.557b.c340 is from Core1
There was only one VLAN pair that did not have this problem, which was the VLAN L2 for the ISP router and the VLAN Outside for the FWSM . It also was the only VLAN that did not have HSRP working, I dont know if it has something to do.
The Core 1 is the STP Root with priority of Zero and the Core 2 is the Backup Root with priority 4096
Any guesses ?

I see this log message frequently when using a switch to feed an IPS sensor if the same Ethernet frame is entering the same VLAN on two different interfaces. I can;t tell how your traffic is flowing but I think you have the same issue.
In my case it was not anything to worry about so I just ignored the messages.
- Bob

Only some of the traffic passing through inline vlan pair

Here is my network setup
   firewall<---- >(g1/2)Coreswitch 6500 with IDSM(TG9/1)<-----> (TG9/1) Distrib switch with FWSM---------Accessswitch
configuration in core switch
interface GigabitEthernet1/2.11
description **** ****
encapsulation dot1Q 211
ip vrf forwarding VRF11
ip address 10.2.11.73 255.255.255.248
ip ospf network point-to-point
standby 1 ip 10.2.11.75
standby 1 priority 110
standby 1 preempt
interface GigabitEthernet1/2.37
description **** ****
encapsulation dot1Q 237
ip vrf forwarding VRF37
ip address 10.2.37.73 255.255.255.248
ip ospf network point-to-point
standby 1 ip 10.2.37.75
standby 1 priority 110
standby 1 preempt
interface TenGigabitEthernet9/1.11
description ****   ****
encapsulation dot1Q 311
ip vrf forwarding VRF11
ip address 10.2.11.2 255.255.255.252
ip ospf network point-to-point
interface TenGigabitEthernet9/1.12
description ****   ****
encapsulation dot1Q 312
ip vrf forwarding VRF12
ip address 10.2.12.2 255.255.255.252
ip ospf network point-to-point
configuration in Distribution switch:
interface TenGigabitEthernet9/1.11
description **** ****
encapsulation dot1Q 311
ip vrf forwarding VRF11
ip address 10.2.11.1 255.255.255.252
no ip route-cache
ip ospf network point-to-point
interface TenGigabitEthernet9/1.37
description ********
encapsulation dot1Q 337
ip vrf forwarding VRF37
ip address 10.2.37.1 255.255.255.252
no ip route-cache
ip ospf network point-to-point
i have seggregated n/w like this. i am using inline vlan pair , to pass all the traffic through the IDSM module ,
i am using the monitoring port gi0/8
config in core switch
intrusion-detection module 8 data-port 2 trunk allowed-vlan 211-260,311-360
IDSM
physical-interfaces GigabitEthernet0/8
subinterface-type inline-vlan-pair
subinterface 11
description
vlan1 211
vlan2 311
exit
subinterface 37
description
vlan1 237
vlan2 337
exit
Problem i am facing is , some of the vlan-pair traffic passing through the IDSM some of the traffic are not passing , here i have given the statistics
MAC statistics from interface GigabitEthernet0/8
   Statistics From Subinterface 11
      Statistics From Vlan 211
         Total Packets Received On This Vlan = 0
         Total Bytes Received On This Vlan = 0
         Total Packets Transmitted On This Vlan = 0
         Total Bytes Transmitted On This Vlan = 0
      Statistics From Vlan 311
         Total Packets Received On This Vlan = 0
         Total Bytes Received On This Vlan = 0
         Total Packets Transmitted On This Vlan = 0
         Total Bytes Transmitted On This Vlan = 0
Statistics From Subinterface 37
      Statistics From Vlan 237
         Total Packets Received On This Vlan = 3189658726
         Total Bytes Received On This Vlan = 64165872092928
         Total Packets Transmitted On This Vlan = 3549575166
         Total Bytes Transmitted On This Vlan = 64165872092928
      Statistics From Vlan 337
         Total Packets Received On This Vlan = 3549575166
         Total Bytes Received On This Vlan = 64165872092928
         Total Packets Transmitted On This Vlan = 3189658726
         Total Bytes Transmitted On This Vlan = 64165872092928
   Statistics From Subinterface 38
      Statistics From Vlan 238
         Total Packets Received On This Vlan = 2215151150
         Total Bytes Received On This Vlan = 64165872092928
         Total Packets Transmitted On This Vlan = 126546964
         Total Bytes Transmitted On This Vlan = 64165866995200
      Statistics From Vlan 338
         Total Packets Received On This Vlan = 126546964
         Total Bytes Received On This Vlan = 64165866995200
         Total Packets Transmitted On This Vlan = 2215151150
         Total Bytes Transmitted On This Vlan = 64165872092928
Give me idea experts , so that i can resolve this issue.
Help me thanks in advance

I believe the issue is because of the config below:
interface GigabitEthernet1/2.11
description **** ****
encapsulation dot1Q 211
ip vrf forwarding VRF11
ip address 10.2.11.73 255.255.255.248
ip ospf network point-to-point
standby 1 ip 10.2.11.75
standby 1 priority 110
standby 1 preempt
encapsulation dot1Q 311
ip vrf forwarding VRF11
ip address 10.2.11.2 255.255.255.252
ip ospf network point-to-point
interface TenGigabitEthernet9/1.12
description ****   ****
encapsulation dot1Q 312
ip vrf forwarding VRF12
ip address 10.2.12.2 255.255.255.252
ip ospf network point-to-point
As you can see we have 2 ip subnets in the VRF 11 .73 & .2 in vlan 211 & 311 respectively.
The switch is doing intervlan routing directly without having to go through the IDSM for VRF 11.
What we need to remember is IDSM does not do routing, and it can only bridge vlans.
Hence we have to force to packet to go through the IDSM.
Here is what we do when we use IDSM to see traffic going between vlans.:
Normally, with vlans, and IDSM inline mode, we have one IP subnet and 2 Vlans.
IDSM2 in inline mode necessitates an additional artificial Vlan on the SAME subnet as the Vlan you wish to sense.
A layer 3 switch interface needs to be configured within this additional artificial Vlan.
In a nutshell, we need to create 2 Vlans that share one same ip subnet and put SVI on only one of the Vlans.
In your case you will need one ip between vlans 211 & 311 in VRF 11 to force the data to go through the IDSM.
I can understand if this is a bit tricky to understand.
Please go through my design document for IDSM inline mode, which explains the basic concepts and packet walk in detail.
It will explain why we need the above and how arp makes the mac-address table populate correct entries, (with one ip subnet for 2 vlans) so that traffic goes through the IDSM.
https://supportforums.cisco.com/docs/DOC-12206
- Sid

Filter Traffic using ISDM-2 Inline Mode and Inline VLAN Pairs

Hi Everyone,
I have a new ISDM-2 Module (Version 6.0(1)E1) and I?m thinking use Inline VLAN Pairs to bridge two vlans, in my case vlan 100 and vlan 101. Vlan 100 is the vlan used by MSFC and Vlan 101 is the vlan used by the outside of my FWSM . In this way, I think I can monitor all the traffic into and from Internet. My question is: can I choose what traffic I will analyze using this configuration ? Maybye with VACL or another way.
Thanks in Advanced
Andre Lomonaco

If I understand your question correctly, I do not think you have the ability to selectively inspect the traffic with only a single pair of vlans. The IPS module is going to bridge your vlans together and you would want all traffic to go through that bridge...I don't know what mechanism you'd use to selectively direct traffic through some other bridge/route function.
Within the IPS software you can turn off (disable AND retire) signatures that inspect traffic that you wish to ignore, the IPS will just forward the traffic through, but you don't have a fine level of granularity there.
Scott

IPS VLAN pair in VSS

Hi
I have serverfarm connected to cisco 6509 core switches in VSS mode.We have two IPS es and to connect in line(VLAN pair) for the server farm.I want to know how we will connect these two IPS es because since switches are in VSS mode,this will act as one switch.Please give me a solution to connect both IPS es in to configure in VLAN inline pair in VSS core switch.
Regards
Anvar

Hi,
how did you solve this? Have you tried load-balancing using multichassis etherchannel?
Radim

IDS 4215 Inline VLAN Pair

I am trying to configure IDS 4215 to do inline vlan pair with a Cisco 3750 Layer 3 switch.
We have 4 vlans in the 3750, vlan 100 for workstations,vlan 200 for servers, vlan 250 for ip phones and vlan 150 for firewalls.
All vlans have corresponding SVI with that ip been the default gateway for each vlan.
interface Vlan1
no ip address
interface Vlan100
description Workstation VLAN
ip address 192.0.0.5 255.255.255.0 secondary
ip address 192.0.0.254 255.255.255.0
interface Vlan150
description WatchGuard FW VLAN
ip address 192.168.150.254 255.255.255.0
interface Vlan200
description Servers
ip address 192.168.200.254 255.255.255.0
interface Vlan250
description VOICE
ip address 192.168.250.254 255.255.255.0
ip helper-address 192.168.200.30
interface Vlan254
description Management VLAN
ip address 192.168.254.254 255.255.255.0
My question is how do i monitor the traffic going to firewall vlan from server/workstation vlans ?
I read a quite a bit of old topics here in this forum but could not find anything matching though there were few coming close.
So my idea is to configure new vlan say 151 and move the firewalls to the new vlan.Then do inline vlan pair on old firewall vlan 150 and new fw vlan 151.
Any idea its going to work ? or can i simply do 2 vlan inline pairs for fw-server and fw-workstation vlans ? Also i understand that i have to configure trunking on switch ports ?
would appriciate any comments.

I would recommend you proceed with your first suggestion of creating vlan 151, moving the firewall ports to vlan 151, and then placing the sensor inline between vlans 150 and 151.
There are 2 options for placing the sensor between vlans 150 and 151: inline interface pairing, or inline vlan pairing.
With inline interface pairing you would need the 4FE card in the IDS-4215. Create an inline interface pair using Fe2/0 and Fe2/1.
Create an access port on vlan 150 of your switch and connect Fe2/0.
Create an access port on vlan 151 of your switch and connect Fa2/1.
Allow spanning-tree to run (generally between 30 and 40 seconds).
With InLine Vlan Pairing you can do this with an IDS-4215 without needing the 4FE card.
Create an inline vlan pair subinterface on Fe0/1 that will pair vlans 150 and 151.
Creat an 802.1q trunk port on your switch that will trunk just vlans 150 and 151 (leave the native vlan of the trunk as vlan 1, but do not place vlan 1 in the list of allowed vlans on the trunk)
Connect Fe0/1 to your trunk port.
Now this will cause All traffic between your internal networks and the firewall to have to pass through the sensor. This includes your voice traffic that goes through the internet.
The other option you mentioned of creating inline vlan pairs on your workstation vlan and your server vlans, I would not recommend with IPS 5.1.
The inline vlan pairs would have to be created similar to the inline vlan pair I described above using vlans 150 and 151.
You would have to create vlan 101 and pair 100 and 101.
As well as create 201 and pair 200 and 201.
If the workstations ONLY have connections out through the Firewall and NOT to the servers then it would be OK.
BUT if the workstations also have connections to the servers then it will cause problems. The packets will have to pass through both the vlan 100 and 101 pair as well as the vlan 200 and 201 pair.
When the sensor sees the same packet again after having been routed (by the switch in this case) it causes issues. The sensor sees that the packet has changed and believes that a hacker is modifying packets on the network.
This is being addressed in IPS version 6.0 (still under development) so that vlan pair 100 and 101 can be monitored independant of vlan pair 200 and 201.
So until IPS 6.0 is released I would suggest staying with the single vlan pair approach using vlan pair 150 and 151.

Issue - Inline VLAN pair IPS

Hello everyone,
I have an issue with an 4255 IPS using an inline VLAN pair. Here's the rough sketch of the topology:
SW1
port 1 access vlan 10 - PC (10.20.30.2/24)
port 48 trunk to SW2 - all vlans allowed and forwarding
SW2
port 48 trunk to SW1 - all vlans allowed and forwarding
port 1 trunk allowed vlan 10,20 to IPS g0/1 configured in inline VLAN pair; assigned to sensor etc.
SVI vlan 20 for network 10.20.30.1/24 (up/up)
I'm unable to ping SVI from PC. Anyone have any suggestions? Running packet display on IPS interface I only see BPDUs hitting the interface. VTP is enabled but pruning is disabled. Both vlans exist on both switches.
I'm only seeing ARP requests from SVI on the IPS, but no replies coming from the remote switch.
Alternatively the PC is sending ARP requests to the SVI IP, but those aren't getting resolved, nor are they getting to the IPS interface.

Hello Yuriy
So Topology is something like
PC-----ACCESSPORT----SW1----TRUNK----SWITCH2
                                                                 |
                                                                 |
                                                               IPS Inile vlan pair
The thing is that if you already allow the vlans on the trunk link then traffic will not get inspect by the IPS,
Do you see what I mean, you must force it to go to the IPS.
Let me know if I was clear enough

VLAN PAIR

Hello,
I have a question, I have a 4270 working with VLAN PAIRs.
In an interface I have the VLAN pair 120-121 and in another interface the same pair 120-121 When I add that pair the IPS gives an error message saying that I already have that VLAN Pair however it allows the creation of the PAIR. I can even see traffic passing through the interfaces.
1 interface has so much traffic however the another one only a few traffic.
I know that I cannot have the same vlan twice in the same interface but I am using 2 different interfaces with the same vlan.
The IPS should be able to handle that right?
I have 2 Nexus doing load balancing, I connected them both to the IPS (1 interface per Nexus) so I can inspect all the traffic.
Please let me know if I am doing the thing wrong.

Hello,
a. Vlan pair can be thought as IPS on a stick (analogous to router on a stick)
One physical interface and multiple subinterfaces.
Each subinterface is associated with a pair of vlans.
b. On a given physical interface, you cannot associate the same vlan pair on more than one subinterface.
c. You can associate the same vlan pair assigned to a subinterface on a separate physical interface.
Correct, you will see an error message that warns you, that you are using same vlans for multiple interfaces.
But this should be fine. You will he having same Vlans say x & y being bridged on more that one physical interface on the IPS.
d. In terms of load-balancing, understand that IPS will inspect whatever traffic it recieves on the physical interfaces.
Hence if you have 2 physical interfaces say 1 & 2 each having a subinterface 1 and same vlans x & y associated,
then its the job of the Nexus to make sure equal amount traffic actually goes into interface 1 & 2.
So traffic allocation on each ips interface depends on load-balacing done on nexus.
e. Like with every network design issue, always test it before putting it under production, to check for any unexpected issues (for e.g spanning-tree issues due to typical flow of traffic etc).
Sid Chandrachud
TAC Security Solutions

IPS Interface Pairs vs. Inline VLAN Pairs

       I've got a Cisco IPS 4240 that needs to be configured inline. Right now I've got an ASA 5525-X with two interfaces (inside and DMZ) plugged into our Catalyst 6500 Switch that need to be monitored by the IPS. I also plugged two interfaces from the IPS into the same Catalyst switch hoping that I could use the inline VLAN pairs to monitor that traffic. I've got several VLANs in our DMZ and LAN that need to be monitored. The problem is that I don't understand how the inline VLAN pairs are supposed to work (Cisco's IPS documentation is almost useless), I've been fighting with it for some time with no success.
     I'm now thinking that it might be a better idea to plug the two interfaces from the ASA directly into the IPS and then create Interface Pairs from the IPS to the switch. My concern with doing this is that I am turning the IPS into a single point of failure, if it goes down everything goes down with it.   Also, will the Interface Pairs work with a 802.1q trunk? Would I then need to create VLAN groups for the trunk? Would using inline VLAN pairs also create a single point of failure?
     Basically, I'd like to know the pros and cons to the Interface Pairs vs. the Inline VLAN pairs. Interface Pairs seems like the easiest and most comprehensive way to go, but if I can avoid the single point of failure with the inline VLAN paris I would like to go that route.

Hello Paul,
I want to go with Inline vlan pair,i don't want to go with interface pairing,as this is request by customer,how i can do it,as i m having a IPS-4240 with 4 gig ports,
I have a doubt that if we create a vlan pair then in each pair 1 be a real vlan and the other should be dummy vlan ???? ( for example vlan 2 and vlan 3 in which vlan 3 is the dummy vlan). Please suggest
If i have a 10 vlan than i will configure the 10 pair of vlan on gig0/0 with real and dummy vlan, but what vlan pair i shld configure on gig0/1 i.e (exit interface to ASA DMZ interface.)
Thanks
Message was edited by: adamgibs7

IDSM-2 VLAN pairing

Similar Messages

Maybe you are looking for