Hi Tyson One last point/clarification on this subject.
With IOS router or ASA, when connected to trunk from a switch comprising of vlan 2 & 3, we configure the following: interface g0/0.2 vlan 2 interface g0/0.3 vlan 3 Please correct me, if I am wrong here in the vlan handling concept. The sub-interfaces configured with specific vlans reads the VLAN ID in 802.1q encapsulated frames that comes through the G0/0. If the frames needs to be routed to a different interface, it strips out the 802.1q and then routes through the another interface. If the frame needs to be inter-vlan routed, VLAN ID is swapped to destined vlan and then sent back to the trunk interface through which it arrived. With IPS in inline mode, the VLAN ID is not stripped nor swapped, it is just sent across to the other interface. Note : Exceptional case is with inline vlan pair mode, where vlan id is swapped between two vlans. Earlier sometime before I just read in a document that ASA doesn't support passing 802.3 encapsulated frames as if now. With ASA or router, the trunk terminates on the trunk interface configured for vlans. With IPS inline mode, the trunk doesn't terminate but just passes across the two interfaces Please find the actual concept of transparent firewall that I had in my mind. This is hypothetical :-) *Topology* switch ---- trunk------------- G0/1 ASA G0/0------trunk-------------switch vlan 2 - 10.20.30.0 vlan 2 - 10.20.30.0 vlan 3 - 20.10.30.0 vlan 3 - 20.10.30.0 *ASA configuration* interface g0/1 nameif inside security-level 100 interface g0/0 nameif inside security-level 0 access-list mine ethertype permit dot1q any any access-list mine in interface inside access-list mine in interface outside With regards Kings On Mon, Oct 5, 2009 at 5:15 PM, Tyson Scott <[email protected]> wrote: > Kingsley, > > > > IPS is exact same as Transparent firewall when you are running inline and > trying to get traffic thru it when the IPS is connected to a single switch > as in our setup on Proctorlabs. There is no difference between the IPS and > transparent firewall. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S and Security > > Technical Instructor - IPexpert, Inc. > > > Telephone: +1.810.326.1444 > Cell: +1.248.504.7309 > Fax: +1.810.454.0130 > Mailto: [email protected] > > > > Join our free online support and peer group communities: > http://www.IPexpert.com/communities <http://www.ipexpert.com/communities> > > > > IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On > Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, > CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE > Storage Lab Certifications. > > > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* Monday, October 05, 2009 7:20 AM > *To:* Paul Stewart; Tyson Scott; 'Segun Daini > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] Transparent firewall with trunking > > > > Thanks to all for your inputs. > > > > I just wanted to do some investigation in my lab before replying. > > > > > > *Various cases* > > > > *IPS (inline) is transparent and doesn't disturb the setup* > > > > > > switch ---- trunk-------------*IPS* ------trunk-------------switch > > vlan 2 - 10.20.30.0 vlan 2 - > 10.20.30.0 > vlan 3 - 20.10.30.0 vlan 3 - > 20.10.30.0 > > > > *Switch is transparent and doesn't disturb the setup* > > > > > > switch ---- trunk-------------*switch* ------trunk-------------switch > > vlan 2 - 10.20.30.0 vlan 2 - > 10.20.30.0 > vlan 3 - 20.10.30.0 vlan 3 - > 20.10.30.0 > > > > *Tranparent firewall ASA requires for vlans* > > > > switch ---- trunk-------------ASA ------trunk-------------switch > > vlan 2 - 10.20.30.0 vlan 6 - > 10.20.30.0 > vlan 3 - 20.10.30.0 vlan 7 - > 20.10.30.0 > > > > > > > > I was about to talk about the trunking inspection done by IPS sensor. > > > > With IPS sensor, if you need to monitor the traffic between a trunk link, > you need to just configure an inline pair interface and insert the two trunk > links from the two switches into two interfaces of the sensor that has been > paired. Here I need not disturb the swtich setup. It is very transparent. > If you want, you can use vlan groups and put each sub-interfaces in > different virtual sesnor. > > > > But when it comes to ASA for the above topology where IPS sensor was placed > it, we need to bridge between different vlans. > > > > I am actually aware of that we need different vlans when we put ASA in > between a trunk. > > > > But I am actually searching for a reason from anyone of why did Cisco > implement this way of requiring two vlans and thereby forcing one of > swtiches to their vlan for inserting the ASA in between. > > > > With IPS sensor, the job was easy. With ASA, I need to reconfigure the > vlans on switches. > > > > With IOS router or ASA in routing mode, is it inter-vlan routing there we > definitely need different vlans to route between vlans. > > > > But with transparent firewall, why do we need different vlans for bridging > a subnet. Transparent means plug and play, right? > > > > I just wanted others thoughts on this Cisco's way of implementation to be > sure that I remove the mis-understanding from my mind. > > > > So I have posted this mail here. > > > > > > > > > > > > > > > > With regards > > Kings > > > > > > > > On Mon, Oct 5, 2009 at 12:06 AM, Paul Stewart <[email protected]> wrote: > > In my opinion, the best example of transparent firewalling in the way > described is vlan pairs on the IPS appliance. The concept of using > transparent Firewall to bridge two VLANs is exactly the same as using a VLAN > pair on an IPS to bridge two vlans. In both cases, both of the vlans exist > in the same layer 3 subnet. However, for devices in vlan x to talk to > devices in vlan y, they must go through the transparent firewall, just like > they would have to go through the IPS. The IPS simply has a less strictly > defined role than that of a firewall. > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
