Focus on IDS
Back to list
Configuring Cisco IPS High Bandwidth Using EtherChannel Load Balancing
Apr 01 2009 12:46PM
bdikici gmail com
Re: Configuring Cisco IPS High Bandwidth Using EtherChannel Load Balancing
Apr 02 2009 09:56AM
Farrukh Haroon (farrukhharoon gmail com)
1) The ECLB feature allows you to load balance upto eight Cisco IPS
Sensors connected to the 'same' chassis. So YES you can connect more
than one sensor to the same switch (using a separate port/interface
for each sensor). All ports will be part of the same etherchannel
group. This is also stated clearly in the link you provided:
?The IPS appliances must be in on-a-stick mode (INLINE VLAN PAIR),
meaning that the IPS appliance can only use one sensing port on that
Catalyst switch. That port is trunked so that the IPS appliance has an
inbound and outbound path to and from the switch.
?Up to eight ports can be defined in an EtherChannel. This means that
you can add up to eight IPS appliances on a single Catalyst switch.
2) The 'Inline Interface Pair' feature requires that the ports to
which the IPS is connected should be access ports and NOT trunk ports.
CCIE # 20184 (Security)
On Wed, Apr 1, 2009 at 3:46 PM, <bdikici (at) gmail (dot) com [email concealed]> wrote:
> Hello ,
> I have got two core switches. They are running redundant with HSRP. One of
> them is hsrp active and spanning tree root for all vlans , the other is hsrp
> passive and spanning tree secondary for all vlans. I have got a server vlan
> which i would like to inspect traffic to this vlan from all other user
> vlans. All servers are connected to the backbone switches via another
> aggregation switches. We have got 6 aggragation swtiches and all of them are
> connected to the backbone switches via 1 gigabit f/o uplinks. Because of
> that , i need 6 gbps throghput for the IPS system which will protect the
> server VLAN.
> Which topology do you recommend for this purpose ? Should i use another
> switches to connect all IPS devices to the backbone switches ? Or should i
> connect IPS devices directly to the backbone switches ? Which one is more
> preferrable for performance and redundancy ?
> Another question is ;
> I saw the message which is written below in this address ;
> ?The IPS appliances must be in on-a-stick mode, meaning that the IPS
> appliance can only use one sensing port on that Catalyst switch. That port
> is trunked so that the IPS appliance has an inbound and outbound path to and
> from the switch.?
> My question is ;
> Can I have one IPS with three or four ports attached to the same switch in
> an etherchannel?
> The last question ;
> Is it possible to configure the Cisco IPS like the topology below ? SW1's and SW2's connection ports to the IPS is in trunk mode. I would like to configure the IPS in inline interface pairing mode. ( not vlan pairing mode )
> Kind Regards...
> Burak Dikici
[ reply ]
Copyright 2010, SecurityFocus