Message: 2 Date: Sat, 29 Aug 2009 16:50:01 +0530 From: Kingsley Charles <[email protected]> Subject: Re: [OSL | CCIE_Security] IPS Sensor inter vlan pair mode with vlans in different subnet To: Stuart Hare <[email protected]> Cc: "[email protected]" <[email protected]> Message-ID: <[email protected]> Content-Type: text/plain; charset="iso-8859-1"
Hi Stu In most of the cases, each vlan has it's own subnet. Sensor interface supports 802.1q trunking but doesn't support interface vlan routing. I think, the limitation of not having inter vlan routing prevents bridging with routing of vlans with different subnets. In the case of inline vlan pair mode, how does the sensor decide/know which packet that it needs to bridge between the vlan pairs. With regards Kings Kings, I assumed this happens in much the same way the switch does, by building a table of mac addresses. This is an assumption, I'm not 100% sure. It doesn't really matter, since the switches that trunk to them do. Why would I say such a thing? Becaues, the IPS could simply assume that the switch knows what it is doing. Each VLAN pair can have only two vlans. So if a frame were received tagged for vlan A, the IPS could just blindly forward it to VLAN B and all would work fine.
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
