Focus on IDS
Re: Configuring Cisco IPS High Bandwidth Using EtherChannel Load Balancing Apr 02 2009 10:39AM
Farrukh Haroon (farrukhharoon gmail com) (1 replies)
Re: Configuring Cisco IPS High Bandwidth Using EtherChannel Load Balancing Apr 03 2009 08:24PM
Gary Halleen (ghalleen cisco com) (1 replies)
Multiple interfaces on a single IPS sensor can be attached to a single
etherchannel group (up to 8 interfaces per group).

Additionally, inline interface pairs can be connected to trunk ports. Cisco
IPS is able to track traffic per-VLAN, in this case.

Gary

The Hacker only has to be right once...

Stay Secure!

Gary Halleen, CISSP-ISSAP, CHP
Consulting Security Engineer
Cisco Systems
Author, Security Monitoring with CS-MARS, ISBN: 1587052709

On 4/2/09 3:39 AM, "Farrukh Haroon" <farrukhharoon (at) gmail (dot) com [email concealed]> wrote:

> No, only one interface can be connected to my knowledge (as Inline
> VLAN Pair mode uses one interface only and this is the only supported
> deployment model in ECLB).
>
> Regards
>
> Farrukh
>
> On Thu, Apr 2, 2009 at 1:21 PM, Burak Dikici <bdikici (at) gmail (dot) com [email concealed]> wrote:
>>
>> Hello Farrukh ,
>>
>> What do you say about this question ?
>>
>> "Can I have ONE IPS with three or four inline mode ports attached to the same
>> switch in an etherchannel ?"  I am talking about one IPS with multiple
>> interfaces. For example two IPS with four interfaces in the switch's
>> etherchannel group with eigth ports.   Thank you.
>>
>> Burak
>>
>>
>>
>> On Thu, Apr 2, 2009 at 12:56 PM, Farrukh Haroon <farrukhharoon (at) gmail (dot) com [email concealed]>
>> wrote:
>>>
>>> Hello Burac
>>>
>>> 1) The ECLB feature allows you to load balance upto eight Cisco IPS
>>> Sensors connected to the 'same' chassis. So YES you can connect more
>>> than one sensor to the same switch (using a separate port/interface
>>> for each sensor). All ports will be part of the same etherchannel
>>> group. This is also stated clearly in the link you provided:
>>>
>>> ?The IPS appliances must be in on-a-stick mode (INLINE VLAN PAIR),
>>> meaning that the IPS appliance can only use one sensing port on that
>>> Catalyst switch. That port is trunked so that the IPS appliance has an
>>> inbound and outbound path to and from the switch.
>>> ?Up to eight ports can be defined in an EtherChannel. This means that
>>> you can add up to eight IPS appliances on a single Catalyst switch.
>>>
>>> 2) The 'Inline Interface Pair' feature requires that the ports to
>>> which the IPS is connected should be access ports and NOT trunk ports.
>>>
>>> Regards
>>>
>>> Farrukh Haroon
>>> CCIE # 20184 (Security)
>>>
>>>
>>>
>>> On Wed, Apr 1, 2009 at 3:46 PM,  <bdikici (at) gmail (dot) com [email concealed]> wrote:
>>>> Hello ,
>>>>
>>>>  I have got two core switches. They are running redundant with HSRP. One of
>>>> them is hsrp active and spanning tree root for all vlans , the other is
>>>> hsrp
>>>> passive and spanning tree secondary for all vlans. I have got a server vlan
>>>> which i would like to inspect traffic to this vlan from all other user
>>>> vlans. All servers are connected to the backbone switches via another
>>>> aggregation switches. We have got 6 aggragation swtiches and all of them
>>>> are
>>>> connected to the backbone switches via 1 gigabit f/o uplinks. Because of
>>>> that , i need 6 gbps throghput for the IPS system which will protect the
>>>> server VLAN.
>>>>  Which topology do you recommend for this purpose ? Should i use another
>>>> switches to connect all IPS devices to the backbone switches ? Or should i
>>>> connect IPS devices directly to the backbone switches ? Which one is more
>>>> preferrable for performance and redundancy ?
>>>>
>>>> Another question is ;
>>>> I saw the message which is written below in this address ;
>>>> http://cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration
_ex
>>>> ample09186a0080671a8d.shtml
>>>> ³The IPS appliances must be in on-a-stick mode, meaning that the IPS
>>>> appliance can only use one sensing port on that Catalyst switch. That port
>>>> is trunked so that the IPS appliance has an inbound and outbound path to
>>>> and
>>>> from the switch.²
>>>> My question is ;
>>>> Can I have one IPS with three or four ports attached to the same switch in
>>>> an etherchannel?
>>>>
>>>>
>>>> The last question ;
>>>>  Is it possible to configure the Cisco IPS like the topology below ? SW1's
>>>> and SW2's connection ports to the IPS is in trunk mode. I would like to
>>>> configure the IPS in inline interface pairing mode. ( not vlan pairing mode
>>>> )
>>>>
>>>>
>>>> SW1-----------IPS-----------SW2
>>>>
>>>>
>>>>
>>>>
>>>> Kind Regards...
>>>>
>>>> Burak Dikici
>>>>
>>>>
>>>>
>>
>
>

[ reply ]
Re: Configuring Cisco IPS High Bandwidth Using EtherChannel Load Balancing Apr 03 2009 09:38PM
Farrukh Haroon (farrukhharoon gmail com) (1 replies)
Re: Configuring Cisco IPS High Bandwidth Using EtherChannel Load Balancing Apr 03 2009 09:48PM
Gary Halleen (ghalleen cisco com) (1 replies)
Re: Configuring Cisco IPS High Bandwidth Using EtherChannel Load Balancing Apr 04 2009 02:41AM
Farrukh Haroon (farrukhharoon gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus