Switch config for Inline Interface Pair

Hello all
Am having a doubt here, so need your help.
I want to configure an IPS in inline interface mode. What I have is
internet rtr---->Switch----->outside intrface of ASA
Here, I want to monitor/inspect the traffic coming from the internet.
I am planning to connect the inline interfaces to the same switch.
What am not sure is what will be the switchport configuration for the inline interface pair?
Also, How the switch will forward traffic to the IPS and then IPS to the ASA?
Thanks in advance
..Abhi

What are you using for an IPS, an appliance? an IOS IPS in the Internet router or the ASA?
If you want to feed the output of your IPS into the same switch as the input, you'll need to create two separate VLANS, one for the switch interfaces that are outside your IPS and the other for the interfaces that are inside your IPS.
interface Gi0/1
  switchport access vlan 10
switchport mode access
switchport nonegotiate
interface Gi0/5
  switchport access vlan 20
switchport mode access
switchport nonegotiate
interface vlan 10
interface vlan 20
- Bob

Similar Messages

  • Vrf config for virtual interface

    Dears ,
    Im trying to create MPLS VPN for my ADSL subscribers .
    I'm sending the vrf config. from the radius and On the radius debugs I can see that see that configuration is sending correctly to the router , but on the router Virtual access interface not configured for vrf forwarding .
    The tf:rd is configured on the router
    07A8 NAS-Port-Type = Virtual
    07A8 Service-Type = Framed-User
    07A8 NAS-IP-Address = 172.16.120.1
    07A8 Sending Code=2, Id=23 to 172.16.120.1
    07A8 Profile = "ADSLPPPoE"
    07A8 Cisco-AVpair = "lcp:Interface-config= ip vrf forwarding mpls-test2"
    07A8 Service-Type = Framed-User
    07A8 Framed-Protocol = PPP

    Try associating a VRF loopback with the DSL VPN user:
    interface loopback1
    ip vrf forwarding mpls-test2
    ip address 172.16.1.1 255.255.255.255
    Then make sure in the AVPair it looks like this
    Cisco-AVPair "lcp:interface-config=ip vrf forwarding mpls-test2\nip unnumbered loopback 1"
    the \n is a carriage return

  • IDSM-2 virtualization with the exception of VLAN groups on inline interface

    Please comment the feature that the IDSM-2 supports virtualization with the exception of VLAN groups on inline interface pairs.
    (http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliAnEng.html)
    How can one configure VLAN groups on inline pairs? Please give an example by CLI.

    The IDSM-2 does support Inline Vlan Pairs as the previous responder described. You can have up to 250 inline vlan pairs on an interface.
    The IDSM-2 does NOT support Vlan Groups on an Inline Interface Pair.
    The Appliances do support Vlan Groups on an Inline Interface Pair because they can have a switch on one side, and another switch (or router, or firewall) on the other side. The 2 devices could then be Trunking multiple vlans through the Appliance.
    You cannot, however, do this with an IDSM-2.
    Vlan IDs are not modified when going through an Inline Interface Pair. Which means the same vlan must exist on both sides of the pair.
    The problem with the IDSM-2 is that for Inline Interface Pair to work each port must be an Access Port for a different vlan. So the Inline Interface Pair joins 2 different vlans. Since it cannot rewrite the vlan headers the packets Must enter the IDSM-2 WITHOUT vlan headers so they can be passed between the 2 different vlans. Since the packets won't have vlan header you can not make vlan groups.
    if you need to rewrite the vlan header (usually because you need more than 1 pair of vlans), then you use Inline Vlan Pairs on a single interface instead of Inline Intercface Pairs.

  • IDS 4215 Inline VLAN Pair

    I am trying to configure IDS 4215 to do inline vlan pair with a Cisco 3750 Layer 3 switch.
    We have 4 vlans in the 3750, vlan 100 for workstations,vlan 200 for servers, vlan 250 for ip phones and vlan 150 for firewalls.
    All vlans have corresponding SVI with that ip been the default gateway for each vlan.
    interface Vlan1
    no ip address
    interface Vlan100
    description Workstation VLAN
    ip address 192.0.0.5 255.255.255.0 secondary
    ip address 192.0.0.254 255.255.255.0
    interface Vlan150
    description WatchGuard FW VLAN
    ip address 192.168.150.254 255.255.255.0
    interface Vlan200
    description Servers
    ip address 192.168.200.254 255.255.255.0
    interface Vlan250
    description VOICE
    ip address 192.168.250.254 255.255.255.0
    ip helper-address 192.168.200.30
    interface Vlan254
    description Management VLAN
    ip address 192.168.254.254 255.255.255.0
    My question is how do i monitor the traffic going to firewall vlan from server/workstation vlans ?
    I read a quite a bit of old topics here in this forum but could not find anything matching though there were few coming close.
    So my idea is to configure new vlan say 151 and move the firewalls to the new vlan.Then do inline vlan pair on old firewall vlan 150 and new fw vlan 151.
    Any idea its going to work ? or can i simply do 2 vlan inline pairs for fw-server and fw-workstation vlans ? Also i understand that i have to configure trunking on switch ports ?
    would appriciate any comments.

    I would recommend you proceed with your first suggestion of creating vlan 151, moving the firewall ports to vlan 151, and then placing the sensor inline between vlans 150 and 151.
    There are 2 options for placing the sensor between vlans 150 and 151: inline interface pairing, or inline vlan pairing.
    With inline interface pairing you would need the 4FE card in the IDS-4215. Create an inline interface pair using Fe2/0 and Fe2/1.
    Create an access port on vlan 150 of your switch and connect Fe2/0.
    Create an access port on vlan 151 of your switch and connect Fa2/1.
    Allow spanning-tree to run (generally between 30 and 40 seconds).
    With InLine Vlan Pairing you can do this with an IDS-4215 without needing the 4FE card.
    Create an inline vlan pair subinterface on Fe0/1 that will pair vlans 150 and 151.
    Creat an 802.1q trunk port on your switch that will trunk just vlans 150 and 151 (leave the native vlan of the trunk as vlan 1, but do not place vlan 1 in the list of allowed vlans on the trunk)
    Connect Fe0/1 to your trunk port.
    Now this will cause All traffic between your internal networks and the firewall to have to pass through the sensor. This includes your voice traffic that goes through the internet.
    The other option you mentioned of creating inline vlan pairs on your workstation vlan and your server vlans, I would not recommend with IPS 5.1.
    The inline vlan pairs would have to be created similar to the inline vlan pair I described above using vlans 150 and 151.
    You would have to create vlan 101 and pair 100 and 101.
    As well as create 201 and pair 200 and 201.
    If the workstations ONLY have connections out through the Firewall and NOT to the servers then it would be OK.
    BUT if the workstations also have connections to the servers then it will cause problems. The packets will have to pass through both the vlan 100 and 101 pair as well as the vlan 200 and 201 pair.
    When the sensor sees the same packet again after having been routed (by the switch in this case) it causes issues. The sensor sees that the packet has changed and believes that a hacker is modifying packets on the network.
    This is being addressed in IPS version 6.0 (still under development) so that vlan pair 100 and 101 can be monitored independant of vlan pair 200 and 201.
    So until IPS 6.0 is released I would suggest staying with the single vlan pair approach using vlan pair 150 and 151.

  • IPS Inline Interface Mode - Can you use a port-channel?

    Hi,
    I'm trying to determine if you can have a 2-gig Layer-3 Port-channel going thru an IPS 4260 appliance. See attached diagram. Is this possible?
    The client I'm working with would prefer not to break this Port-channel into equal-cost 1-gig links (I don't think there will be any performance difference...) However I'm thinking if they want the appliance inline like the diagram shows - they will need to break the port-channel. Is that a correct assumption?
    Thanks,
    Brad

    Yes this is possible.
    It will require 2 InLine Interface Pairs on the sensor and both pairs should be added into the same Virtual Sensor.
    The 4260 will not be aware that etherchannels are used on both sides, and does not need to be aware.
    This may,however, require manual enablement of the etherchannels.
    Also keep in mind that the performance in this setup will be limited to what the IPS-4260 is able to perform with that traffic.
    If the IPS is only able to monitor 1 Gbps (which is its rating for Transactional traffic tests), then having the 2 InLine Interface Pairs will not give them any more performance than a single pair would.
    If the IPS is able to monitor more than 1Gbps of their traffic (it is rated at 2Gbps for Media Rich tests), then the additional pair will allow the sensor to get to the above 1 Gbps monitoring.
    If the 4260 is not able to keep with the traffic, then an upgrade to a 4270 using the same deployment setup may be necessary.
    NOTE: This also assumes that only the left or right path are actively passing traffic at any one time. If both paths are passing traffic, then asymmetric traffic patterns can result. if asymmetric traffic is seen, then another deployment should be considered, or specifial configuration be placed on the sensors.
    NOTE: This setup only works when a single sensor is used within the etherchannel. (1 sensor on each etherchannel, 2 sensors in your diagram because you have 2 etherchannels).
    You can not place 2 sensors in the same etherchannel (would mean 4 sensors in your diagram).
    This is because the balancing being done from the lower switch can not be guaranteed to match that being done from the top switch. A mismatch in balancing could lead to asymmetric patterns.
    With a single sensor, the same virtual sensor sees all traffic regardless of which interface the packet comes in on, so a single sensor is fine. But with 2 sensors, the client traffic might get sent to a different sensor than the server traffic.

  • IPS interface pairs

    hi. i have one switch and configurated 2 vlans. switch connect to ips. ips configurated inline interface pairs mode.
    i want to ask. in this application the vlan must be same subnet?
    if i have two switch then the vlan must be diffrent sunbet?

    I want to know that.
    i deploy my ips sensor at interface pair mode.
    i have one switch and i configutared 2 vlans (vlan 10 20) at this siwtch.ips connected switch two phisical interface at interface pair mode. do i configurate the vlans different subnet in this application?

  • Interface pairs subneting

    i have one IPS 4255 sensor and one catalyst switch. i deploy ips interface pairs and connecting two vlan 33 22. i want to learn that.
    the vlans (33 and 22) must be same subnet????? or different subnet at interface pairs mode???
    because i do same subnet at interface pairs , it works and i do different subnet at interface pairs it is not work.
    please write your comment.

    The in-line interface pairs of the Cisco IPS sensor are transparent to traffic. You can think of the sensor as a "bump in the wire". Since there is no layer 3 routing intelligence in the sensor, there is nothing that would pass traffic between two different subnets on a pair of in-line interfaces. Both interfaces need to be addressed within the same subnet.
    - Bob

  • Help with inline VLAN Pair and switch configuration

    Hello,
    I'm new to IPS and IDS in general, but I have an IPS-4255 and a couple of Catalyst 2900 switches to experiment with. I'm currently trying to enable an Inline VLAN Pair configuration on the IPS and have a simple setup.
    SW1 and SW2 have vlans 100 and 200 configured. PC1 and PC2 are on the same IP range (no routing). PC1 on vlan 100 connects to Sw1. PC2 on vlan 200 connects to SW2. The IPS connects to a SW2 trunking port, and SW1 and SW2 are connected together on another trunking port.
    I know that my trunking is working because PC1 and PC2 can ping each other whenever they are on the same vlan of either switch. But, they can't ping when on the separate vlans.
    From what I've read, the IPS with an Inline VLAN Pair acts as a bridge between the two vlans and should forward the traffic if it passes inspection. However, the IPS does not appear to see any traffic at all.
    My IPS is configured with inline VLAN pair 100->200 and associated to vs0.
    Have I missed something in my config somewhere? Or am I misunderstanding how inline VLAN Pairs are supposed to work?
    Below are my configs for the switches and the IPS.
    Any help would be appreciated. Thank you!
    IPS Config
    service interface
    physical-interfaces GigabitEthernet0/0
    no description
    admin-state enabled
    duplex auto
    speed auto
    alt-tcp-reset-interface interface-name GigabitEthernet0/3
    subinterface-type inline-vlan-pair
    subinterface 1
    description test
    vlan1 100
    vlan2 200
    exit
    exit
    service analysis-engine
    virtual-sensor vs0
    physical-interface GigabitEthernet0/0 subinterface-number 1
    inline-TCP-session-tracking-mode vlan-only
    exit
    exit
    SW1 and SW2 config
    interface FastEthernet0/1
    switchport access vlan 100
    interface FastEthernet0/9
    switchport access vlan 200
    interface FastEthernet0/18
    switchport trunk encapsulation dot1q
    switchport mode trunk
    interface FastEthernet0/24 (Sw 2 only)
    description IPS port
    switchport trunk encapsulation dot1q
    switchport mode trunk

    It has been awhile since I've dealt with a 2900 switch to I am just trying to guess at what may be wrong with your setup.
    I noticed that neither of your trunk port configuration are specifically stating which vlans are allowed on the trunks.
    It is possible that for the trunk between the 2 switches there may be some protocol negotiation so the switches can determine which vlans to trunk, BUT no such negotiation will happen with the sensor. If I remember right you will need to specifically state which vlans the trunk to the sensor should carry. If I remember right the commmand would be something like:
    switchport trunk allowed-vlan 100,200
    You will want to find the show command on your switch that will show you which vlans are actually being trunked by the port. It might be something like "show switchport trunk"
    And you will want to verify that the switch is actually trunking vlans 100 and 200 to your sensor.
    On your sensor you will want to execute "show interfaces" and look at the statistics for Gig0/0 to see if it is receiving packets on vlan 100 and 200.
    You can also run "packet display GigabitEthernet0/0" to see if any packets are making it to your sensor.
    You will also want to check Link status and make sure your sensor is linking up properly with your switch. A common mistake is to connect the wrong ports, as some sensors do not have the port numbers clearly marked.
    NOTE: If the above doesn't help, then take the additional step of eliminating the second switch. Attach both pcs to the same SW2 switch (1 in each vlan). The second switch isn't necessary to test the inline vlan pair functionality. Connecting both PCs to the same switch will help eliminate any possibility of misconfiguration between the 2 switches.

  • IPS Interface Pairs vs. Inline VLAN Pairs

           I've got a Cisco IPS 4240 that needs to be configured inline.  Right now I've got an ASA 5525-X with two interfaces (inside and DMZ) plugged into our Catalyst 6500 Switch that need to be monitored by the IPS.  I also plugged two interfaces from the IPS into the same Catalyst switch hoping that I could use the inline VLAN pairs to monitor that traffic.  I've got several VLANs in our DMZ and LAN that need to be monitored. The problem is that I don't understand how the inline VLAN pairs are supposed to work (Cisco's IPS documentation is almost useless), I've been fighting with it for some time with no success. 
         I'm now thinking that it might be a better idea to plug the two interfaces from the ASA directly into the IPS and then create Interface Pairs from the IPS to the switch.  My concern with doing this is that I am turning the IPS into a single point of failure, if it goes down everything goes down with it.   Also, will the Interface Pairs work with a 802.1q trunk?  Would I then need to create VLAN groups for the trunk? Would using inline VLAN pairs also create a single point of failure? 
         Basically, I'd like to know the pros and cons to the Interface Pairs vs. the Inline VLAN pairs.  Interface Pairs seems like the easiest and most comprehensive way to go, but if I can avoid the single point of failure with the inline VLAN paris I would like to go that route. 

    Hello Paul,
    I want to go with Inline vlan pair,i don't want to go with interface pairing,as this is request by customer,how i can do it,as i m having a IPS-4240 with 4 gig ports,
    I have a doubt that if we create a vlan pair then in each pair 1 be a real vlan and the other should be dummy vlan ????  ( for example vlan 2 and vlan 3 in which vlan 3 is the dummy vlan). Please suggest
    If i have a 10 vlan than i will configure the 10 pair of vlan on gig0/0 with real and dummy vlan, but what vlan pair i shld configure on gig0/1 i.e (exit interface to ASA DMZ interface.)
    Thanks
    Message was edited by: adamgibs7

  • IDSM-2 inline vlan pair mode configs

    Dear all,
    1. Is it possible to associate 2 vlans( to be paired) on 2 different data ports on IDSM instead of pairing it on single data port on IDSM ?? & configuring these 2 ports on CAT6509 as access ports instead of trunk... Will this thing work ?
    2. Since bypass mode is ON by default(AUTO) in IDSM-2 in-line vlan pair mode but when I am testing the bypass its not happening..can any pls. guide what could be the reason for this ?
    Regards,
    Akhtar

    You can bypass analysis engine when inline bypass is activated , allowing traffic to flow through the inline interfaces and inline VLAN pairs without inspection. Inline bypass ensures that packets continue to flow through the sensor when the sensor processes are temporarily stopped for upgrades or when the sensor monitoring processes fail. But not always.

  • Cisco ISE configs for switch

    I suppose Cisco ISE sends a URL redirect to the switch and the switch presents it to the client in case of guest Access getting a URL redirect with User Acceptance Page (Wired Guests and not wireless).
    My question here is, Do we need to configure http and https server on the switches (both supplicant and authenticator)?
    I am sure it will need but just wanted a confirmation..
    I have checked the configuration for supplicant and Authenticator switches for ISE and it has no where mentioned that part of the config.
    http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_troubleshooting.html (a problem of URL redirection and possible cause is mentioned) ------- makes me sure that the config is needed.
    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_010000.html
    (config of supplicant and authenticator switch)---- nowhere mentioned of the http/https config for both switches.

    Yes, its needed.  The http/s server within the swtich is used to grab the http user traffic and redirect the traffic to the CWA portal, or a device registration portal, or even to the Mobile Device Management (MDM) onboarding portal.  .
    ip http server
    ip http secure-server
    The info below I grabbed from Cisco ISE for BYOD and secure unified access book.
    "Many organization want to ensure that this redirection process using the switch's internal HTTP server is decoupled from the management of the switch itself, in order to limit the chances of an end user interacting with the management intervace and control plane of a switch.  this may be accomplished by running the following two commands from global configuration mode:
    ip http active-session-modules none
    ip http secure-active-session-modules none"

  • What's the purpose when we config ipv6 address for an interface with 128bit mask

    What's the purpose when we config ipv6 address for an interface with 128bit mask?
    Thanks

    If you configure a loopback-interface you can use a /128 there.
    "Normal" interfaces should always use /64 (RFC 4291) while on router-to-router-links you can use a /127 (RFC 6164).
    Don't stop after you've improved your network! Improve the world by lending money to the working poor:
    http://www.kiva.org/invitedby/karsteni

  • Only some of the traffic passing through inline vlan pair

    Here is my network setup
       firewall<---- >(g1/2)Coreswitch 6500 with IDSM(TG9/1)<-----> (TG9/1) Distrib switch with FWSM---------Accessswitch
    configuration in core switch
    interface GigabitEthernet1/2.11
    description **** ****
    encapsulation dot1Q 211
    ip vrf forwarding VRF11
    ip address 10.2.11.73 255.255.255.248
    ip ospf network point-to-point
    standby 1 ip 10.2.11.75
    standby 1 priority 110
    standby 1 preempt
    interface GigabitEthernet1/2.37
    description **** ****
    encapsulation dot1Q 237
    ip vrf forwarding VRF37
    ip address 10.2.37.73 255.255.255.248
    ip ospf network point-to-point
    standby 1 ip 10.2.37.75
    standby 1 priority 110
    standby 1 preempt
    interface TenGigabitEthernet9/1.11
    description ****   ****
    encapsulation dot1Q 311
    ip vrf forwarding VRF11
    ip address 10.2.11.2 255.255.255.252
    ip ospf network point-to-point
    interface TenGigabitEthernet9/1.12
    description ****   ****
    encapsulation dot1Q 312
    ip vrf forwarding VRF12
    ip address 10.2.12.2 255.255.255.252
    ip ospf network point-to-point
    configuration in Distribution switch:
    interface TenGigabitEthernet9/1.11
    description ****  ****
    encapsulation dot1Q 311
    ip vrf forwarding VRF11
    ip address 10.2.11.1 255.255.255.252
    no ip route-cache
    ip ospf network point-to-point
    interface TenGigabitEthernet9/1.37
    description ********
    encapsulation dot1Q 337
    ip vrf forwarding VRF37
    ip address 10.2.37.1 255.255.255.252
    no ip route-cache
    ip ospf network point-to-point
    i  have seggregated  n/w like this. i am using inline vlan  pair , to pass all the traffic through the IDSM module ,
    i am using the monitoring port gi0/8
    config in core switch
    intrusion-detection module 8 data-port 2 trunk allowed-vlan 211-260,311-360
    IDSM
    physical-interfaces GigabitEthernet0/8
    subinterface-type inline-vlan-pair
    subinterface 11
    description
    vlan1 211
    vlan2 311
    exit
    subinterface 37
    description
    vlan1 237
    vlan2 337
    exit
    Problem i am facing is , some of the vlan-pair traffic passing through the IDSM some of the traffic are not passing , here i have given the statistics
    MAC statistics from interface GigabitEthernet0/8
       Statistics From Subinterface 11
          Statistics From Vlan 211
             Total Packets Received On This Vlan = 0
             Total Bytes Received On This Vlan = 0
             Total Packets Transmitted On This Vlan = 0
             Total Bytes Transmitted On This Vlan = 0
          Statistics From Vlan 311
             Total Packets Received On This Vlan = 0
             Total Bytes Received On This Vlan = 0
             Total Packets Transmitted On This Vlan = 0
             Total Bytes Transmitted On This Vlan = 0
    Statistics From Subinterface 37
          Statistics From Vlan 237
             Total Packets Received On This Vlan = 3189658726
             Total Bytes Received On This Vlan = 64165872092928
             Total Packets Transmitted On This Vlan = 3549575166
             Total Bytes Transmitted On This Vlan = 64165872092928
          Statistics From Vlan 337
             Total Packets Received On This Vlan = 3549575166
             Total Bytes Received On This Vlan = 64165872092928
             Total Packets Transmitted On This Vlan = 3189658726
             Total Bytes Transmitted On This Vlan = 64165872092928
       Statistics From Subinterface 38
          Statistics From Vlan 238
             Total Packets Received On This Vlan = 2215151150
             Total Bytes Received On This Vlan = 64165872092928
             Total Packets Transmitted On This Vlan = 126546964
             Total Bytes Transmitted On This Vlan = 64165866995200
          Statistics From Vlan 338
             Total Packets Received On This Vlan = 126546964
             Total Bytes Received On This Vlan = 64165866995200
             Total Packets Transmitted On This Vlan = 2215151150
             Total Bytes Transmitted On This Vlan = 64165872092928
    Give me idea experts , so that i can resolve this issue.
    Help me thanks in advance

    I believe the issue is because of the config below:
    interface GigabitEthernet1/2.11
    description **** ****
    encapsulation dot1Q 211
    ip vrf forwarding VRF11
    ip address 10.2.11.73 255.255.255.248
    ip ospf network point-to-point
    standby 1 ip 10.2.11.75
    standby 1 priority 110
    standby 1 preempt
    encapsulation dot1Q 311
    ip vrf forwarding VRF11
    ip address 10.2.11.2 255.255.255.252
    ip ospf network point-to-point
    interface TenGigabitEthernet9/1.12
    description ****   ****
    encapsulation dot1Q 312
    ip vrf forwarding VRF12
    ip address 10.2.12.2 255.255.255.252
    ip ospf network point-to-point
    As you can see we have 2 ip subnets in the VRF 11 .73 &  .2 in vlan 211 & 311 respectively.
    The switch is doing intervlan routing directly without having to go through the IDSM for VRF 11.
    What we need to remember is IDSM does not do routing, and it can only bridge vlans.
    Hence we have to force to packet to go through the IDSM.
    Here is what we do when we use IDSM to see traffic going between vlans.:
    Normally, with vlans, and IDSM inline mode, we have one IP subnet and 2 Vlans.
    IDSM2 in inline mode necessitates an additional artificial Vlan on the  SAME subnet as the Vlan you wish to sense.
    A layer 3 switch  interface  needs to be configured within this additional artificial Vlan.
    In a nutshell, we need to create 2 Vlans that share one same ip subnet and put SVI on only one of the Vlans.
    In your case you will need one ip between vlans 211 & 311 in VRF 11 to force the data to go through the IDSM.
    I can understand if this is a bit tricky to understand.
    Please go through my design document for IDSM inline mode, which explains the basic concepts and packet walk in detail.
    It will explain why we need the above and how arp makes the mac-address table populate correct entries, (with one ip subnet for 2 vlans) so that traffic goes through the IDSM.
    https://supportforums.cisco.com/docs/DOC-12206
    - Sid

  • Diverting traffic to IDSM for inline IPS mode

    I have a catalyst 6500 swtich containing FWSM and IDSM-2 module. Vlan 1000 is the outside interface for the fwsm to which all bussiness servers are mapped (vlan 900, inside interface of fwsm).
    I want to inline IPS all the traffic going to these bussiness servers.
    I have no issue with IPS configuration.
    Could you please guide me with a configuration for 6500 switch for diverting this traffic.
    I can provide 6500 configs if required.
    An example would be appreciated.

    I'm not sure if this is relevant to your situation, but here is how I have a gateway 6K switch set up with an external 4255 IPS device. You should be able to substitute the IDMS2 though.
    Internet -> port 1/2 Vlan 5 -> port 3/1 Vlan 5 -> 4255 vlan pair to -> port 3/2 Vlan 2 -> MSFC Route Module -> rest of vlans internal...
    What I am doing in bringing my uplink in on a physical port that is in Vlan 5. I put one side of my IPS sensor into Vlan 5. These two ports are the only ports in Vlan 5. The IPS sensor port is vlan paired through the sensor to a port in Vlan 2. From this point, my MSFC route module has virtual interfaces for Vlan 2 and all of the rest of my internal Vlans. There is no route entry for Vlan 5, it is a pure switching vlan.
    What I like about this setup is that the IPS is transparent. If I have a problem with my IPS device or if I am doing an image upgrade, I can move the vlan for port 1/2 into Vlan 2 and logically bypass the IPS device...taking it out of inline without having to change anything else in the switch config and only having to wait for the spanning tree to converge.
    For the IDSM2, since the ports are trunk ports, you'd want to set the native vlan to the target vlan of each port and set the allowed vlans to just the target vlan of each port (ports 7 & 8).
    Hope this is useful,
    Scott

  • IDSM-2 Inline Vlan Pair - Duplicate Packets

    Dear All
    We have a setup where two IDSM-2 modules are ether-channeled together in a single 6513 Chassis.
    There is an FWSM module also, which acts as the default gateway for all internal VLANs.
    Problem: IDSM show stat virtual-sensor command is showing tons of 'Duplicate Packets'
    show statistics virtual-sensor | inc Duplic
    Duplicate Packets = 2950967
    Inline TCP Tracking Mode: Interface and VLAN
    Topology:
    Assume Client VLAN = 10 and Server VLAN = 60
    IPS Inline VLAN Pairs:
    10 >> 110 (Client VLAN)
    60 >> 160 (Server VLAN)
    Client >> Server Flow: (Layer 2):
    [ClientPC] >>>> Access Switch (VLAN 10) >>>> Core SW >>>> IDSM-2 (VLAN 10--110 Pair) >>>> Core Sw >>>> FWSM VLAN 110 >>>>
    FWSM VLAN 160 >>>> Core Sw >>>> IDSM-2 (VLAN 160--60 Pair) >>>> Server Switch (VLAN 60) >>>> [Server]
    Core Switch IPS Etherchannel Setup:
    Group 5: IDSM(A) and IDSM(B) Port x/7
    Group 6: IDSM(A) and IDSM(B) Port x/8
    Some VLAN Pair(s) are on interface x/7 and others are on x/8
    Because of the above issue, we see a lot of TCP normalization signatures being fired (as the IPS gets confused with duplicate packets seen for the same flow). Specially signatures 1330:12 :17 and :18.
    It is also causing some applications to break (e.g. Veritas Netbackup 6.5). When I removed the DENY action from these signatures, our IPS started having stability issues (This could also be due to E3 upgrade)
    Should we change the Tracking mode to 'VLAN' only, OR any other possible solution?. Should not the 'interface and vlan' setting be sufficient?.
    Regards
    Farrukh

    This will take some traffic analysis to determine what is going wrong.
    You might need to place a sniffer to watch the traffic on the client where the backup software is running at the same time that you capture the traffic on the sensor.
    Look to see if there are any differences in the traffic.
    Look for any anomalies in the traffic.
    Look to see if maybe the backup software is not using a standard TCP connection (is it jumping the tcp sequence numbers in any abnormal way?)
    You might also try some things on the sensor to determine if the sensor itself might have an issue.
    Determine if the connction passes through 2 connections (inline vlan pairs) monitored by the sensor.
    If you can, you might try removing both of the pairs from the virtual sensor. (don't delete the pairs, just remove them from the virtual sensor so they won't be analyzed)
    And see if the backup works.
    If it does then just add in one pair, and see if it keeps working.
    If it has errors with just the one pair, then the problem is likely not because of the connection being monitored twice.
    Something else must be weird about the connection.
    If the problems are only seen when having both pairs in the same virtual sensor, then try placing the pairs in different virtual sensors and see if the problem goes away.
    If the problem goes away when in different virtual sensors, then there may be an error in the inline tcp session tracking code that should track connections separately for each interface/vlan.

Maybe you are looking for