Focus on IDS
Re: Configuring Cisco IPS High Bandwidth Using EtherChannel Load Balancing Apr 02 2009 10:39AM
Farrukh Haroon (farrukhharoon gmail com) (1 replies)
Re: Configuring Cisco IPS High Bandwidth Using EtherChannel Load Balancing Apr 03 2009 08:24PM
Gary Halleen (ghalleen cisco com) (1 replies)
Re: Configuring Cisco IPS High Bandwidth Using EtherChannel Load Balancing Apr 03 2009 09:38PM
Farrukh Haroon (farrukhharoon gmail com) (1 replies)
Re: Configuring Cisco IPS High Bandwidth Using EtherChannel Load Balancing Apr 03 2009 09:48PM
Gary Halleen (ghalleen cisco com) (1 replies)
Re: Configuring Cisco IPS High Bandwidth Using EtherChannel Load Balancing Apr 04 2009 02:41AM
Farrukh Haroon (farrukhharoon gmail com)
OK great, thanks for the clarificaion Gary. However due to the
'inline' nature of the IPS I would think that the trunk port option is
not always an feasible (unless the STP path is modifed) to force the
traffic through the IPS. As we have to guarantee all VLAN traffic
passes through the IPS only.

Regards

Farrukh

On Sat, Apr 4, 2009 at 12:48 AM, Gary Halleen <ghalleen (at) cisco (dot) com [email concealed]> wrote:
> Correct, but that is only if the IPS interfaces are connected to interfaces
> on a the same switch.  If the IPS interfaces are connected to two different
> switches, then the interfaces can be trunk ports.
>
> Gary
>
>
>
> On 4/3/09 2:38 PM, "Farrukh Haroon" <farrukhharoon (at) gmail (dot) com [email concealed]> wrote:
>
>> http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli
/cli_i
>> nterfaces.html#wp1033986
>>
>> "If the paired interfaces are connected to the same switch, you should
>> configure them on the switch as access ports with different access
>> VLANs for the two ports. Otherwise, traffic does not flow through the
>> inline interface. "
>>
>> Regards
>>
>> Farrukh
>>
>> On Fri, Apr 3, 2009 at 11:24 PM, Gary Halleen <ghalleen (at) cisco (dot) com [email concealed]> wrote:
>>> Multiple interfaces on a single IPS sensor can be attached to a single
>>> etherchannel group (up to 8 interfaces per group).
>>>
>>> Additionally, inline interface pairs can be connected to trunk ports.  Cisco
>>> IPS is able to track traffic per-VLAN, in this case.
>>>
>>> Gary
>>>
>>>
>>> The Hacker only has to be right once...
>>>
>>> Stay Secure!
>>>
>>>
>>> Gary Halleen, CISSP-ISSAP, CHP
>>> Consulting Security Engineer
>>> Cisco Systems
>>> Author, Security Monitoring with CS-MARS, ISBN: 1587052709
>>>
>>>
>>>
>>> On 4/2/09 3:39 AM, "Farrukh Haroon" <farrukhharoon (at) gmail (dot) com [email concealed]> wrote:
>>>
>>>> No, only one interface can be connected to my knowledge (as Inline
>>>> VLAN Pair mode uses one interface only and this is the only supported
>>>> deployment model in ECLB).
>>>>
>>>> Regards
>>>>
>>>> Farrukh
>>>>
>>>> On Thu, Apr 2, 2009 at 1:21 PM, Burak Dikici <bdikici (at) gmail (dot) com [email concealed]> wrote:
>>>>>
>>>>> Hello Farrukh ,
>>>>>
>>>>> What do you say about this question ?
>>>>>
>>>>> "Can I have ONE IPS with three or four inline mode ports attached to the
>>>>> same
>>>>> switch in an etherchannel ?"  I am talking about one IPS with multiple
>>>>> interfaces. For example two IPS with four interfaces in the switch's
>>>>> etherchannel group with eigth ports.   Thank you.
>>>>>
>>>>> Burak
>>>>>
>>>>>
>>>>>
>>>>> On Thu, Apr 2, 2009 at 12:56 PM, Farrukh Haroon <farrukhharoon (at) gmail (dot) com [email concealed]>
>>>>> wrote:
>>>>>>
>>>>>> Hello Burac
>>>>>>
>>>>>> 1) The ECLB feature allows you to load balance upto eight Cisco IPS
>>>>>> Sensors connected to the 'same' chassis. So YES you can connect more
>>>>>> than one sensor to the same switch (using a separate port/interface
>>>>>> for each sensor). All ports will be part of the same etherchannel
>>>>>> group. This is also stated clearly in the link you provided:
>>>>>>
>>>>>> ?The IPS appliances must be in on-a-stick mode (INLINE VLAN PAIR),
>>>>>> meaning that the IPS appliance can only use one sensing port on that
>>>>>> Catalyst switch. That port is trunked so that the IPS appliance has an
>>>>>> inbound and outbound path to and from the switch.
>>>>>> ?Up to eight ports can be defined in an EtherChannel. This means that
>>>>>> you can add up to eight IPS appliances on a single Catalyst switch.
>>>>>>
>>>>>> 2) The 'Inline Interface Pair' feature requires that the ports to
>>>>>> which the IPS is connected should be access ports and NOT trunk ports.
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Farrukh Haroon
>>>>>> CCIE # 20184 (Security)
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Wed, Apr 1, 2009 at 3:46 PM,  <bdikici (at) gmail (dot) com [email concealed]> wrote:
>>>>>>> Hello ,
>>>>>>>
>>>>>>>  I have got two core switches. They are running redundant with HSRP. One
>>>>>>> of
>>>>>>> them is hsrp active and spanning tree root for all vlans , the other is
>>>>>>> hsrp
>>>>>>> passive and spanning tree secondary for all vlans. I have got a server
>>>>>>> vlan
>>>>>>> which i would like to inspect traffic to this vlan from all other user
>>>>>>> vlans. All servers are connected to the backbone switches via another
>>>>>>> aggregation switches. We have got 6 aggragation swtiches and all of them
>>>>>>> are
>>>>>>> connected to the backbone switches via 1 gigabit f/o uplinks. Because of
>>>>>>> that , i need 6 gbps throghput for the IPS system which will protect the
>>>>>>> server VLAN.
>>>>>>>  Which topology do you recommend for this purpose ? Should i use another
>>>>>>> switches to connect all IPS devices to the backbone switches ? Or should
>>>>>>> i
>>>>>>> connect IPS devices directly to the backbone switches ? Which one is more
>>>>>>> preferrable for performance and redundancy ?
>>>>>>>
>>>>>>> Another question is ;
>>>>>>> I saw the message which is written below in this address ;
>>>>>>> http://cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration
_
>>>>>>> ex
>>>>>>> ample09186a0080671a8d.shtml
>>>>>>> ³The IPS appliances must be in on-a-stick mode, meaning that the IPS
>>>>>>> appliance can only use one sensing port on that Catalyst switch. That
>>>>>>> port
>>>>>>> is trunked so that the IPS appliance has an inbound and outbound path to
>>>>>>> and
>>>>>>> from the switch.²
>>>>>>> My question is ;
>>>>>>> Can I have one IPS with three or four ports attached to the same switch
>>>>>>> in
>>>>>>> an etherchannel?
>>>>>>>
>>>>>>>
>>>>>>> The last question ;
>>>>>>>  Is it possible to configure the Cisco IPS like the topology below ?
>>>>>>> SW1's
>>>>>>> and SW2's connection ports to the IPS is in trunk mode. I would like to
>>>>>>> configure the IPS in inline interface pairing mode. ( not vlan pairing
>>>>>>> mode
>>>>>>> )
>>>>>>>
>>>>>>>
>>>>>>> SW1-----------IPS-----------SW2
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Kind Regards...
>>>>>>>
>>>>>>> Burak Dikici
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>
>
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus