Hi Kingsley, Vlans of same subnets should have same ID naturally...and in that case you just need an uplink cable to connect the two switches - no routing. Being same network, the IPs of nodes on both sides are unique.
But if you have same subnets but two different networks...this implies that IP conflicts will exist...what i think you'd need is a device that'll NAT the IPs while routing traffic between the two devices. In the IPs inline senario, the 2 vlans are same network and thereby the IPs of nodes on both vlans are uniques-no conflict. The tradition inter vlan routing will handle, 2 vlan of 2 different subnets. regards ________________________________ From: Kingsley Charles <[email protected]> To: Tyson Scott <[email protected]> Cc: Paul Stewart <[email protected]>; [email protected]; [email protected]; [email protected] Sent: Sunday, August 30, 2009 5:48:52 AM Subject: Re: [OSL | CCIE_Security] IPS Sensor inter vlan pair mode with vlans in different subnet Hi Tyson I was referring to the inter-vlan routing capability of the catalyst. I agree that using vlan pair mode is common. As you said, due to end to end routing issues, inline vlan pair can't be used with two vlans in two different subnets practically. This leaves us to use vlan pair with vlans in the same subnet. But I was wondering, if bridging between two vlans that are both in the same subnet is a common case used in switching deployment. With regards Kings On Sat, Aug 29, 2009 at 11:31 PM, Tyson Scott <[email protected]> wrote: Kingsley, > >For your Catalyst comment are you speaking of a VLAN-Bridge or >Just Layer 3 aware routing on the Catalysts? I am unclear as to what you >are referring. > >The sensors sensing interfaces are not Layer3, saying it >simplified, aware so it doesn’t have the capability to route traffic. > >Using a vlan pair is not an unusual deployment. It is >common. The inline vlan pair would be applied to one of the virtual >sensors and any traffic that goes from one device to another will be inspected. > >In regards to how it is done as the traffic comes in on the vlan >the dot1q header is removed. The traffic is inspected and the dot1q >header for the next vlan is attached to the packet and it is sent out the other >side. > >HTH > >Regards, > >Tyson Scott - CCIE #13513 R&S and Security >Technical Instructor - IPexpert, Inc. > >>Telephone: +1.810.326.1444 >>Cell: +1.248.504.7309 >>Fax: +1.810.454.0130 >>Mailto: [email protected] > >Join our free online support and peer group communities: >http://www.IPexpert.com/communities > >IPexpert - The Global Leader in Self-Study, Classroom-Based, >Video On Demand and Audio Certification Training Tools for the Cisco CCIE >R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and >CCIE Storage Lab Certifications. > >From:Kingsley Charles >[mailto:[email protected]] >Sent: Saturday, August 29, 2009 11:11 AM >To: Tyson Scott; Paul Stewart; [email protected]; >[email protected] > >Cc: [email protected] >Subject: Re: [OSL | CCIE_Security] IPS Sensor inter vlan pair mode with >vlans in different subnet > >Hi > >If the sensor needs to bridge traffic from one vlan to other >vlan then it should do either inter vlan routing (having routng >intelligence) or be a dummy device like a hub. > >I am aware that switches like 3550/3560 can also do inter-vlan >routing without the need of a router. Does the sensor also do the same? But >that is not possible without a routing vlan interface. > > >As per my understanding sensor can either be just as a dummy >device as a hub and transmit traffic with inline pair mode. If sensor >needs to inspect trunk traffic, the we need configure the trunking >sub-interface and use vlan groups. > > >The following are the cases, where sensor will bridge >between two vlans. > > 1. Configure a sensor interface in inline vlan pair > mode and connect the switch interface as trunk.The switch bridges between > two vlans. > 2. Configure a sensor in inline interface pair mode > and connect two interfaces (access mode) of same switch with two > different vlans. The switch bridges between two vlans. > 3. Configure a sensor in inline interface pair mode > and connect two interfaces (access mode) of two > different switch with two different vlans. The switch bridges between > two vlans. > 4. Configure a sensor in inline interface pair mode > and connect two interfaces (trunk mode) of two > different switch with multiple vlans. The switch bridges between all > vlans.vlan groups can be used with different virtual sensors. >For the 2nd and 3rd case, the sensor will act just like an >hub. It is an usual deployment, where sensor is just placed in between. > >For the 4th case, the sensor act like a trunking pipe. >It is an usual deployment, where sensor is just placed in between. > >I have the following questions for 1st case with inline >apri mode: > > * It acts as a > vlan bridge between same subnet between two vlans. This is not an usual > deployment. Where will actually inline vlan pair be used? > * Also based on > which criteria does the sensor bridge the vlan ids. How does the sensor > bridge between vlans. Or does it bridge/swap all trunk packets coming with > VLAN ID configured in the vlan pair? > > > > > > >With regards >Kings > > >On Sat, Aug 29, 2009 at 7:44 PM, Tyson Scott <[email protected]> wrote: > >Kingsley, >> >>It is possible to bridge two >>disparate networks together using inline pair or vlan pair. The problem >>is not the IPS it would be the two devices on each side. They will have >>no idea how to communicate with each other as they are on separate networks. >> >>So although the IPS could >>technically do it no traffic is going to flow thru the IPS because routing >>requires communication from end to end. >> >>Regards, >> >>Tyson Scott - CCIE #13513 >>R&S and Security >>Technical Instructor - >>IPexpert, Inc. >>Telephone: >>+1.810.326.1444 >>Cell: >>+1.248.504.7309 >>Fax: >>+1.810.454.0130 >>Mailto: [email protected] >> >>Join our free online support >>and peer group communities: http://www.IPexpert.com/communities >> >>IPexpert - The Global Leader in >>Self-Study, Classroom-Based, Video On Demand and Audio Certification Training >>Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider >>Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. >> >>From:[email protected] >>[mailto:[email protected]] >>On Behalf Of Kingsley Charles >>Sent:Saturday, August 29, 2009 7:20 AM >>To:Stuart Hare >>Cc:[email protected] >> >>Subject:Re: [OSL | CCIE_Security] IPS Sensor inter vlan pair >>mode with vlans in different subnet >> >>Hi Stu >> >>In most of the cases, each vlan has it's own subnet. Sensor interface >>supports 802.1q trunking but doesn't support interface vlan routing. >> >>I think, the limitation of not having inter vlan routing prevents bridging >>with routing of vlans with different subnets. >> >>In the case of inline vlan pair mode, how >>does the sensor decide/know which packet that it needs to bridge between the >>vlan pairs. >> >> >>With regards >>Kings >>On Sat, Aug 29, 2009 at 3:11 PM, Stuart Hare <[email protected]> >>wrote: >>Kings >> >>This is where u would use inline interface pairs instead of vlan pairs. Set >>up the switchports as access to ur respective vlans and assign both of >>the interfaces to a single inline pair. >> >>Hth >>Stu >>Sent from my iPhone >>On 29 Aug 2009, at 10:14, Kingsley Charles <[email protected]> >>wrote: >>Hi all >>> >>>IPS Sensor supports inter vlan pair mode with interface in the trunking >>>mode. The sensor actually bridges i.e., swaps the vlan id of the incoming >>>frame. Here, should both VLANs should be in same subnet. >>>Can the VLAN be in different subnets? >>>VLAN A - 10.20.30.0/24 >>>VLAN B - 10.30.20.0/24 >>>Can the sensor's interface be configured in inline vlan pair mode between >>>vlan >>>A and B? >>> >>> >>>With regards >>>Kings >>_______________________________________________ >>>For more information regarding industry leading CCIE Lab >>>training, please visit www.ipexpert.com >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
