Kingsley,
IPS is exact same as Transparent firewall when you are running inline and trying to get traffic thru it when the IPS is connected to a single switch as in our setup on Proctorlabs. There is no difference between the IPS and transparent firewall. Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.IPexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: Kingsley Charles [mailto:[email protected]] Sent: Monday, October 05, 2009 7:20 AM To: Paul Stewart; Tyson Scott; 'Segun Daini Cc: [email protected] Subject: Re: [OSL | CCIE_Security] Transparent firewall with trunking Thanks to all for your inputs. I just wanted to do some investigation in my lab before replying. Various cases IPS (inline) is transparent and doesn't disturb the setup switch ---- trunk-------------IPS ------trunk-------------switch vlan 2 - 10.20.30.0 vlan 2 - 10.20.30.0 vlan 3 - 20.10.30.0 vlan 3 - 20.10.30.0 Switch is transparent and doesn't disturb the setup switch ---- trunk-------------switch ------trunk-------------switch vlan 2 - 10.20.30.0 vlan 2 - 10.20.30.0 vlan 3 - 20.10.30.0 vlan 3 - 20.10.30.0 Tranparent firewall ASA requires for vlans switch ---- trunk-------------ASA ------trunk-------------switch vlan 2 - 10.20.30.0 vlan 6 - 10.20.30.0 vlan 3 - 20.10.30.0 vlan 7 - 20.10.30.0 I was about to talk about the trunking inspection done by IPS sensor. With IPS sensor, if you need to monitor the traffic between a trunk link, you need to just configure an inline pair interface and insert the two trunk links from the two switches into two interfaces of the sensor that has been paired. Here I need not disturb the swtich setup. It is very transparent. If you want, you can use vlan groups and put each sub-interfaces in different virtual sesnor. But when it comes to ASA for the above topology where IPS sensor was placed it, we need to bridge between different vlans. I am actually aware of that we need different vlans when we put ASA in between a trunk. But I am actually searching for a reason from anyone of why did Cisco implement this way of requiring two vlans and thereby forcing one of swtiches to their vlan for inserting the ASA in between. With IPS sensor, the job was easy. With ASA, I need to reconfigure the vlans on switches. With IOS router or ASA in routing mode, is it inter-vlan routing there we definitely need different vlans to route between vlans. But with transparent firewall, why do we need different vlans for bridging a subnet. Transparent means plug and play, right? I just wanted others thoughts on this Cisco's way of implementation to be sure that I remove the mis-understanding from my mind. So I have posted this mail here. With regards Kings On Mon, Oct 5, 2009 at 12:06 AM, Paul Stewart <[email protected]> wrote: In my opinion, the best example of transparent firewalling in the way described is vlan pairs on the IPS appliance. The concept of using transparent Firewall to bridge two VLANs is exactly the same as using a VLAN pair on an IPS to bridge two vlans. In both cases, both of the vlans exist in the same layer 3 subnet. However, for devices in vlan x to talk to devices in vlan y, they must go through the transparent firewall, just like they would have to go through the IPS. The IPS simply has a less strictly defined role than that of a firewall. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
