IPS 4270 with 6509 VSS in Promiscous mode

Dear all,
I am trying to figure out how to configure 2x IPS 4270 in promiscous mode with Cisco 6509 VSS:
I have attached the LLD core datacenter design including the IPS physical placement in my network.
The following points are my concerns in this design:
Shall I connect each of the IPS 4270's into VSS Chassis A and B, or I keep each IPS connected to different Chassis? (considering the SPAN port configuration on VSS and if I could encounted Asymmetric routing issue or not).
Can I use Etherchannel in either case (keep in mind it's promiscous mode), that means the destination interface on the VSS will be an Etherchannel interface, but does the Cisco IPS 4270 support Etherchannel while in promiscous mode?
I really appreciate your input on this matter guys.
Cheers
Mohammed Khair

Hi,
1.You can Connect the each IPS into Chasis A and B  That is Not  aproblem .But While Configuring the RSPAN Monitor From A to B and B to A should monitor the both vlans ( i mean RSAPN A and B also vice versa in your config then it will give both out put even connectivity between IPs and chasisi one fails also)
2.IPS Supports the Etherchannel while in promiscous mode as well.

Similar Messages

  • IPS 4255 with 6509/FWSM

    Is it possible to use a 4255 IPS inline on a 6509 with an FWSM?
    For example say the FWSM has 20 vlans with servers on them, is it possible to put it inline between the different vlans? Would vlan pairs work for this or vlan groups?

    you can use both vlan-pairs and vlan-groups in this scenario. In my opinion the vlan-pair setup is more simple then the vlan-group-setup, so I would look into that first.
    Here is a link describing the system with more that one sensor to scale the bandwidth:
    http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_example09186a0080671a8d.shtml
    It's about an older version and has missing images, but still shows the concept of  a "sensor on a stick".
    Sent from Cisco Technical Support iPad App

  • IPS 4270 and VSS (Virtual Switch System)

    HI,
    I would like to know whether it is possible to connect just One IPS 4270 to a VSS in etherchannel mode (two IPS interfaces per each 6500 Switch).
    Thanks in advance

    You can re-use the virtual domain ID as long as the the two VSS chassis are not directly connecting to each other. Take a look at this link:
    VVirtual Domain
    Defining the domain identifier (ID) is the first step in creating a VSS from two physical chassis. A unique domain ID identifies two switches that are intended to be part of the same VSS pair that defines the VSS domain. Assignment of a domain ID allows multiple virtual switch pairs to be connected in a hierarchical manner. Only one VSS pair can participate in a particular domain. The domain ID can have a value ranging from 1 to 255 and must be unique when multiple VSS pairs are connected together. See Figure 2-2.
    Figure 2-2 VSS Domain IDs
    http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/VSS30dg/campusVSS_DG/VSS-dg_ch2.html
    Hope this helps!
    Thanks you for rating useful posts! 

  • 2 IPS 4270 SETUP FOR PROMISCOUS MODE

    hi guys,
    I have two ips 4270 and i want to set up for promiscous mode, Please help me on how to setup this two device. It is first time for me two set up this devices. Can somebody give me configuration guides on how to start it?
    thank you

    Here is configuration guide for IPS version 7.0:
    http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idmguide7.html
    Hope that helps.

  • IPS 4270 sensors on "Inline-On-A-Stick" Mode

    Hello,
    We are planning to user VLAN pair mode using Ether channel trunks (Inline-on-a-stick) mainly to over come the lack of 10 GigE interfaces which would prevent us from adopting traditional in-line architecture for firewalls with 10 GigE interfaces.
    Do you or your customers have experience with Inline-on-a-stick? Could you please share your advices and any word of caution we need to keep in mind?
    I do know the Bypass can't work in this mode, which we are planning to address by deploying multiple IPS 4270 appliances and Ether Channels.
    Any suggestions are appreciated!
    Thanks,
    Antony

    With VLAN pairs you need to be aware of the "sharing" going on between the two VLANS on the same GigE interface. Each VLAN should be loaded to no more than 50%.
    I would reccomend an external VLAN bypass for when the sensor takes a nap, reloads or gets an OS update. I've done this with an alternate path between the two VLANS with a higher Spanning Tree cost. If you play with the SPT parmeters you can get the switchover down to under a second.

  • TCP flow get slower with IPS 4255 5.1(3) in inline mode

    I have an IPS 4255 with 5.1(3).
    The logical setup is the following:
    Internet
    |
    ServerA --- IPS --- PIX --- IPS --- ServerB
    The physical setup is the following:
    ServerA --- SwitchA --- IPS --- SwitchB --- PIX --- Internet
    ServerB ---/
    (ServerA and ServerB are in different DMZs -> in different VLAN-s)
    My goal is to protect many segments by one inline IPS, therefore the connection
    between SwitchA and SwitchB is an ethernet trunk (for performance reasons this is
    an etherchannel trunk (load sharing is src-dst-ip)).
    The problem is that ServerA and ServerB have to communicate, and this is done via the PIX.
    The communication is very slow and there are many fired TCP Drop and TCP normalization related
    signatures. When the IPS is in bypass on mode or one of ther server segment is not watched by the
    IPS the communcation speed is ok. I think the speed degradation is because every packet between ServerA and
    ServerB travels through the IPS twice. It seems to me that altough they are in seperate VLANs the IPS can not handle
    them.
    Has someone idea how to solve this issue?

    Hello,
    The traffic is about 1-2 megabit/sec through the IPS, so this does not count.
    I tried to use the norandomseq but it does not help.(Is it ok that the norandomseq does not appear in the configuration? - I used in this form: nat (APPL) 0 access-list ACL_NONAT_APPL norandomseq).
    I switched off all of the signatures except the normalizers. I switched them just to produce alert and verbose alert no to drop or modify packet.
    The two relevant server are Takson (172.31.5.1) and Keve (172.31.6.1)
    The alarms are attached. I see that there is alarm between them :TCP session tracking stopped due to timeout
    It seems to me very strange.
    Akos

  • WLC5508 with SW6500 VSS mode

    Hi all,
    Unfortunatelly, I haven't enough experience on CISCO wireless controller and I'm not able to find an official answer for this question:
    My customer has two SW6500 on VSS mode connected via VSL. I wish to know if anyone have already connected WLC5508 with SW6500 VSS using LAG feature ?
    I wish to connect one uplink from LAG to the first switch and the second uplink to the other. The two switches are considered like one logical software.
    I have already read the best practice from CISCO when we connect a 5508 to a switch regarding the port-channel but nothing regarding VSS and VSL link.
    Thanks in advance.

    It does work as long as the two chassis are in vss:)  Make sure the the etherchannel load balancing is configured for src--dst-ip
    Thanks,
    Scott
    Help out other by using the rating system and marking answered questions as "Answered"

  • IPS-4270 problem with FWSM

    Hi,
    I am facing some strange issue with IPS 4270. As soon as I am connecting one interface of IPS into any free port(default configs) on 7609, after some time FWSM stops forwarding traffic for around 5 to 10 minutes. I have never seen this type of problem before. During the problem I have noticed that MSFC forwards traffic properly to other devices but traffic across FWSM halts for some time.
    FWSM Code: 4.0(1)
    IPS Code: 6.1(2)E3
    FWSM COnfigs: Multiple Context configured
    IPS Config: Only Interface Pairing configured.
    Would appreciate any feedback on this.
    Regards,
    Akhtar

    I will have to get setup to record more data, but I do know the FWSM showed a ping request and a ping reply at the "inside" interface.
    I believe my problem is related to the IOS command "firewall multiple-vlan-interfaces" which I put in place to allow IPX traffic to be brought around the FWSM. The little documentation that there is for this command, states that policy routing may need to be implemented to prevent ip packets from going around the firewall. I do not have any policy routing in place.
    I also do not have any active layer three interfaces defined for any of the vlans assigned to the firewall except the "inside" interface. So my resoning was that I did not need to be concerned about ip packets having a way around the FWSM. My suspicion is that this command and the fact that I have mls on is causing some type of a problem which results in the packet being "lost" when it needs to be going through the MSFC in the switch with the active FWSM to get to the PC. Hopefully that makes some sense.
    Do you have any idea where better documention on using the "firewall multiple-vlan-interfaces" may be, or a better explanation of all that is happening inside the switch when that command is used?
    Thanks.

  • WLC 4402 LAG connection to 2 different chassis of 6509 VSS switch system

    Hi,
    I have inherited a 6509 VSS switch system as the network core and have the task of ensuring proper redundancy and redesign of the directly connected data center devices.  One of the connected devices (WLC 4402) physically appears to be connected to both switches - the WLC is in the same rack as VSS-Chassis1 so I can trace the fiber from WLC port 1 to gi1/1/22, the other fiber from the WLC port 2 goes into the floor and presumably over to VSS-Chassis2 gi2/1/22 (there is fiber connected there, I have link lights on both sides, and the port channel, Po200, on the VSS switch which is configured on gi1/1/22 is also configured on gi2/1/22).  My question pertains to the CDP neighbor output I get on the VSS switch: (truncated to include just the WLC)
    NCMECHQWiFi1     Gig 1/1/22        137               H    AIR-WLC44 Gig 0/0/2
    NCMECHQWiFi1     Gig 1/1/22        137               H    AIR-WLC44 LAGInterface0/3/1
    NCMECHQWiFi1     Gig 1/1/22        137               H    AIR-WLC44 Gig 0/0/1
    It looks like both WLC ports are physically connected to Gi1/1/22, which they are quite obviously not.
    This is confirmed on the WLC's sho cdp entry all output:
    (Cisco Controller) >show cdp entry all
    Device ID: ncmec-vsscoresw1.ncmec.org
    Entry address(es): 100.1.0.254
    Platform: cisco WS-C6509-E,  Capabilities: Router Switch IGMP
    Interface: LAGInterface0/3/1,  Port ID (outgoing port): GigabitEthernet1/1/22
    Holdtime : 160 sec
    I believe that the multi chassis etherchannel is set up correctly on the VSS:
    vsscoresw1#sho run int gi1/1/22             
    interface GigabitEthernet1/1/22
    description WLC-Management
    switchport
    switchport trunk encapsulation dot1q
    switchport mode trunk
    switchport nonegotiate
    channel-group 200 mode on
    end
    vsscoresw1#sho run int gi2/1/22
    interface GigabitEthernet2/1/22
    description WLC-Management
    switchport
    switchport trunk encapsulation dot1q
    switchport mode trunk
    switchport nonegotiate
    channel-group 200 mode on
    end
    vsscoresw1#sho run int po200
    interface Port-channel200
    description WLC-Management
    switchport
    switchport trunk encapsulation dot1q
    switchport mode trunk
    switchport nonegotiate
    end
    And yet when I show the details of port channel 200, I expect to see "mode on" but get instead see LACP which is unsupported on the WLC:
    vsscoresw1#sho etherchannel 200 detail
    Group state = L2
    Ports: 2   Maxports = 8
    Port-channels: 1 Max Port-channels = 1
    Protocol:    -
    Minimum Links: 0
                    Ports in the group:
    Port: Gi1/1/22
    Port state    = Up Mstr In-Bndl
    Channel group = 200         Mode = On      Gcchange = -
    Port-channel  = Po200       GC   =   -         Pseudo port-channel = Po200
    Port index    = 0           Load = 0xFF        Protocol =    -
    Mode = LACP
    Age of the port in the current state: 180d:19h:47m:01s
    Port: Gi2/1/22
    Port state    = Up Mstr In-Bndl
    Channel group = 200         Mode = On      Gcchange = -
    Port-channel  = Po200       GC   =   -         Pseudo port-channel = Po200
    Port index    = 1           Load = 0xFF        Protocol =    -
    Mode = LACP
    Age of the port in the current state: 180d:19h:47m:02s
                    Port-channels in the group:
    Port-channel: Po200
    Age of the Port-channel   = 354d:12h:47m:27s
    Logical slot/port   = 46/19          Number of ports = 2
    GC                  = 0x00000000      HotStandBy port = null
    Port state          = Port-channel Ag-Inuse
    Protocol            =    -
    Fast-switchover     = disabled
    Load share deferral = disabled  
    Ports in the Port-channel:
    Index   Load      Port          EC state       No of bits
    ------+------+------------+------------------+-----------
    0      FF       Gi1/1/22                 On   8
    1      FF       Gi2/1/22                 On   8
    Time since last port bundled:    173d:17h:06m:34s    Gi2/1/22
    Time since last port Un-bundled: 173d:17h:06m:34s    Gi2/1/22
    Last applied Hash Distribution Algorithm: Fixed
    >>>  So my question, arising at least partly from the apparently misleading CDP information, is this:  How can I confirm that the WLC is correctly dual homed to both core switches? (short of tracing the cable)  I ask because there are several other devices (not WLCs) that need to have the dual homed connections confirmed.
    I tried a layer 2 trace route but for all macs associated with the WLC, the trace abborts with the error "Device has Multiple CDP neighbours on destination port."
    Thanks in advance!
    Sue

    PS:  It is critical that I confirm the redundancy, since as a part of the data center redesign we will be moving the second VSS chassis to the same rack with the first to simplify the dual connections.  I need to verify all the redundant connections before I take it offline and move it.  Thanks!

  • Catalyst 6509 VSS IOS upgrade

    Hi,
    We have a Catalyst 6509 VSS system, each chassis have 2 supervisor engines. The IOS version is 12.2(33)SXI4a. We should upgrade to 12.2(33)SXI12.
    The following document mention 2 upgrade method : FSU & eFSU
    http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vss.html#wp1170391
    We can not use eFSU due to the images with release dates more than 18 months apart, so we can use FSU only. And there is some note for FSU :
    Note VSS mode supports only one supervisor engine in each chassis. If another supervisor engine resides in the chassis it will act as the DFC
    It make me some confuse.... What is the correct procedule to upgrade the Caytalyst 6509 VSS IOS ( each chassis with 2 supervisor engine )?
    Best Regards,

    Hello Jackson,
    Please take a on the next post which may answered your questions:
    https://supportforums.cisco.com/thread/2188244
    Intrachassis Availability
    The initial release of the Cisco Virtual Switching System supports only a single supervisor per chassis. If a second, or redundant, supervisor is installed in an individual chassis then the redundant supervisor will not fully boot. The redundant supervisor will stop the boot process at the ROMMON stage.
    In this configuration any device connected to the chassis in a single-homed, or single-attach, manner must rely on the availability of the single supervisor. Therefore the recommendation for connecting to the VSS is to always dual-attach devices.
    As a result of the single supervisor per chassis support the recovery period for replacing a failed supervisor module is undeterministic in that the recover process requires manual intervention in order to install and initialize a new supervisor in the chassis.
    Beginning in the 12.2(33)SXI4 software release, Quad-Sup Uplink Forwarding is supported which allows for a redundant supervisor to fully boot Cisco IOS Software, thereby providing a deterministic recovery option for redundant supervisors in a VSS chassis.
    Refer:
    http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps9336/white_paper_c11_429338.pdf 
    The link that you mentioned describe how to configure a VSS from release 12.2(33)SXH1.
    Below is a step by step explanation of the upgrade process and the downtimes associated with each step:
    http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11-729039.html
    ISSU restrictions and guidelines.
    http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configu
    ration/guide/vss.html
    Video:
    https://supportforums.cisco.com/videos/2650
    Best regards,
    Haihua

  • Cisco ips 4270 unequal cpu utilization

    I am having 2 cisco IPS 4270 devices with an IOS version 7.0(2)E4. When monitoring through IPS manager, I am able to see 4 CPU's.
    In CPU 1 the utilzation is showing near to 100 percent. CPU 2 is showing zero or very less utilsation. CPU 3 & CPU 4 are showing average utilization - nearly equal to 40 percent.
    I doubt why i am getting zero percent CPU utilization in CPU 2 and 100 percent utilisation in CPU 1?
    whether we can do a distribution of CPU among the four CPU's.?
    Hey cisco folks, please help.

    This was mentioned in a previous post, specifically the reply by Scott Fringer.  Post here:
    https://supportforums.cisco.com/message/3065777#3065777
    In Scott's post, he quoted the E3 engine release notes regarding CPU utilization (highlighting mine):
    The E3 signature engine update contains changes from CSCsu77935
    The resolution of this defect modified the idle time algorithm of the sensor by applying additional CPU to polling of the NICs to decrease the polling interval and reduce latency. This results in the CPU usage being reported higher than in previous releases, including using external tools such as top and ps.
    You can notice this additional CPU load on single-CPU platforms, as well as the primary CPU of multi-core systems. Since the additional CPU load that is reported while polling is actually available to process packets, and reduces as inspection load goes up, it does not negatively affect the overall throughput of the IPS.
    So, what you are seeing should be considered normal, and doesn't need correction.  That is, unless you are seeing packet loss.

  • When I save photos or videos from my iPhone 4S to my PC they are all sideways.  Is there a way to prevent this from happening?  All are taking with the phone in portrait mode.

    When I save photos or videos from my iPhone 4S to my PC they are all sideways.  Is there a way to prevent this from happening?  All are taken with the phone in portrait mode.

    Shot videos ONLY in landscape. For photos choose what's you like. Maybe you have to rotate photos on PC. What's your operating system?

  • I need to repair a Macbook Pro with disk utility using target mode to another my iMac. Can I use ethernet cable or must it be firewire?

    I need to repair a Macbook Pro with Disk Utility using target mode connected to my iMac. Can I use ethernet cable to connect them or must it be firewire?

    Firewire

  • Holding with one hand in landscape mode?

    When playing games, some games require me to hold it with one hand in landscape mode. My iPad doesn't feel as secure as when I hold it with one hand in portrait mode. Is the iPad designed to be held in landscape mode with just one hand... therefore, no support on the opposite side of the iPad. Is it safe to hold my iPad that way?

    Take things easy. Research anything you buy and see it in person if possible. Everyone has different tastes.
    Deviating slightly, here is the link to downloading the User Guide if you do not already have it. http://support.apple.com/manuals/#ipad
    Take time to read it. (and re-read it!). It will stand you in good stead. Get your teeth into backups - whether in iTunes or iCloud - as we see so many people falling foul of this when something goes wrong. Welcome on board. Enjoy your iPad!

  • A Query with LOB's requires OCI8 mode, but OCI7 mode is used

    Hello all,
    I am using Oracle 10g. We have two tables and in that, in one table i have a Long Raw Column and in the other table i have a BLOB field. When i use the select query to fetch the details from the table with Long Raw field it is working fine and at the same time if i use the select query on the table with the BLOB field it is giving me an error
    'A query with LOB's requires OCI8 mode, but OCI7 mode is used.'
    Please help.
    Thanks.
    Vinodh. S

    Hi Oleg,
    I think your client machine is not setup to connect to the Database. Run the Oracle Net8 Assistant or the Net8 Easy Config to connect to the Database.
    This should work.
    Samuel.
    PS: I need someone to answer my question, please

Maybe you are looking for