Focus on IDS
Re: Configuring Cisco IPS High Bandwidth Using EtherChannel Load Balancing Apr 02 2009 10:39AM
Farrukh Haroon (farrukhharoon gmail com) (1 replies)
Re: Configuring Cisco IPS High Bandwidth Using EtherChannel Load Balancing Apr 03 2009 08:24PM
Gary Halleen (ghalleen cisco com) (1 replies)
Re: Configuring Cisco IPS High Bandwidth Using EtherChannel Load Balancing Apr 03 2009 09:38PM
Farrukh Haroon (farrukhharoon gmail com) (1 replies)
Re: Configuring Cisco IPS High Bandwidth Using EtherChannel Load Balancing Apr 03 2009 09:48PM
Gary Halleen (ghalleen cisco com) (1 replies)
Correct, but that is only if the IPS interfaces are connected to interfaces
on a the same switch. If the IPS interfaces are connected to two different
switches, then the interfaces can be trunk ports.

Gary

On 4/3/09 2:38 PM, "Farrukh Haroon" <farrukhharoon (at) gmail (dot) com [email concealed]> wrote:

> http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli
/cli_i
> nterfaces.html#wp1033986
>
> "If the paired interfaces are connected to the same switch, you should
> configure them on the switch as access ports with different access
> VLANs for the two ports. Otherwise, traffic does not flow through the
> inline interface. "
>
> Regards
>
> Farrukh
>
> On Fri, Apr 3, 2009 at 11:24 PM, Gary Halleen <ghalleen (at) cisco (dot) com [email concealed]> wrote:
>> Multiple interfaces on a single IPS sensor can be attached to a single
>> etherchannel group (up to 8 interfaces per group).
>>
>> Additionally, inline interface pairs can be connected to trunk ports.  Cisco
>> IPS is able to track traffic per-VLAN, in this case.
>>
>> Gary
>>
>>
>> The Hacker only has to be right once...
>>
>> Stay Secure!
>>
>>
>> Gary Halleen, CISSP-ISSAP, CHP
>> Consulting Security Engineer
>> Cisco Systems
>> Author, Security Monitoring with CS-MARS, ISBN: 1587052709
>>
>>
>>
>> On 4/2/09 3:39 AM, "Farrukh Haroon" <farrukhharoon (at) gmail (dot) com [email concealed]> wrote:
>>
>>> No, only one interface can be connected to my knowledge (as Inline
>>> VLAN Pair mode uses one interface only and this is the only supported
>>> deployment model in ECLB).
>>>
>>> Regards
>>>
>>> Farrukh
>>>
>>> On Thu, Apr 2, 2009 at 1:21 PM, Burak Dikici <bdikici (at) gmail (dot) com [email concealed]> wrote:
>>>>
>>>> Hello Farrukh ,
>>>>
>>>> What do you say about this question ?
>>>>
>>>> "Can I have ONE IPS with three or four inline mode ports attached to the
>>>> same
>>>> switch in an etherchannel ?"  I am talking about one IPS with multiple
>>>> interfaces. For example two IPS with four interfaces in the switch's
>>>> etherchannel group with eigth ports.   Thank you.
>>>>
>>>> Burak
>>>>
>>>>
>>>>
>>>> On Thu, Apr 2, 2009 at 12:56 PM, Farrukh Haroon <farrukhharoon (at) gmail (dot) com [email concealed]>
>>>> wrote:
>>>>>
>>>>> Hello Burac
>>>>>
>>>>> 1) The ECLB feature allows you to load balance upto eight Cisco IPS
>>>>> Sensors connected to the 'same' chassis. So YES you can connect more
>>>>> than one sensor to the same switch (using a separate port/interface
>>>>> for each sensor). All ports will be part of the same etherchannel
>>>>> group. This is also stated clearly in the link you provided:
>>>>>
>>>>> â?¬The IPS appliances must be in on-a-stick mode (INLINE VLAN PAIR),
>>>>> meaning that the IPS appliance can only use one sensing port on that
>>>>> Catalyst switch. That port is trunked so that the IPS appliance has an
>>>>> inbound and outbound path to and from the switch.
>>>>> â?¬Up to eight ports can be defined in an EtherChannel. This means that
>>>>> you can add up to eight IPS appliances on a single Catalyst switch.
>>>>>
>>>>> 2) The 'Inline Interface Pair' feature requires that the ports to
>>>>> which the IPS is connected should be access ports and NOT trunk ports.
>>>>>
>>>>> Regards
>>>>>
>>>>> Farrukh Haroon
>>>>> CCIE # 20184 (Security)
>>>>>
>>>>>
>>>>>
>>>>> On Wed, Apr 1, 2009 at 3:46 PM,  <bdikici (at) gmail (dot) com [email concealed]> wrote:
>>>>>> Hello ,
>>>>>>
>>>>>>  I have got two core switches. They are running redundant with HSRP. One
>>>>>> of
>>>>>> them is hsrp active and spanning tree root for all vlans , the other is
>>>>>> hsrp
>>>>>> passive and spanning tree secondary for all vlans. I have got a server
>>>>>> vlan
>>>>>> which i would like to inspect traffic to this vlan from all other user
>>>>>> vlans. All servers are connected to the backbone switches via another
>>>>>> aggregation switches. We have got 6 aggragation swtiches and all of them
>>>>>> are
>>>>>> connected to the backbone switches via 1 gigabit f/o uplinks. Because of
>>>>>> that , i need 6 gbps throghput for the IPS system which will protect the
>>>>>> server VLAN.
>>>>>>  Which topology do you recommend for this purpose ? Should i use another
>>>>>> switches to connect all IPS devices to the backbone switches ? Or should
>>>>>> i
>>>>>> connect IPS devices directly to the backbone switches ? Which one is more
>>>>>> preferrable for performance and redundancy ?
>>>>>>
>>>>>> Another question is ;
>>>>>> I saw the message which is written below in this address ;
>>>>>> http://cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration
_
>>>>>> ex
>>>>>> ample09186a0080671a8d.shtml
>>>>>> ³The IPS appliances must be in on-a-stick mode, meaning that the IPS
>>>>>> appliance can only use one sensing port on that Catalyst switch. That
>>>>>> port
>>>>>> is trunked so that the IPS appliance has an inbound and outbound path to
>>>>>> and
>>>>>> from the switch.²
>>>>>> My question is ;
>>>>>> Can I have one IPS with three or four ports attached to the same switch
>>>>>> in
>>>>>> an etherchannel?
>>>>>>
>>>>>>
>>>>>> The last question ;
>>>>>>  Is it possible to configure the Cisco IPS like the topology below ?
>>>>>> SW1's
>>>>>> and SW2's connection ports to the IPS is in trunk mode. I would like to
>>>>>> configure the IPS in inline interface pairing mode. ( not vlan pairing
>>>>>> mode
>>>>>> )
>>>>>>
>>>>>>
>>>>>> SW1-----------IPS-----------SW2
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Kind Regards...
>>>>>>
>>>>>> Burak Dikici
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>
>>>
>>
>>

[ reply ]
Re: Configuring Cisco IPS High Bandwidth Using EtherChannel Load Balancing Apr 04 2009 02:41AM
Farrukh Haroon (farrukhharoon gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus