Tyson - Update your signature to reflect your THIRD CCIE!
Congrats again! ;-)
Regards,
Wayne A. Lawson II - CCIE #5244
Founder & President - IPexpert, Inc.
Mailto: [email protected]
Mobile: +1.810.334.1564
:: Message sent from iPhone.
On Oct 5, 2009, at 9:14 AM, "Tyson Scott" <[email protected]> wrote:
Nabil,
That is right on. The same concept when using the IPS. Just change
ASA to IPS in the middle and the concept is the same for inline or
inline VLAN pair.
Regards,
Tyson Scott - CCIE #13513 R&S and Security
Technical Instructor - IPexpert, Inc.
Telephone: +1.810.326.1444
Cell: +1.248.504.7309
Fax: +1.810.454.0130
Mailto: [email protected]
Join our free online support and peer group communities:
http://www.IPexpert.com/communities
IPexpert - The Global Leader in Self-Study, Classroom-Based, Video
On Demand and Audio Certification Training Tools for the Cisco CCIE
R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice
Lab and CCIE Storage Lab Certifications.
From: [email protected]
[mailto:[email protected]] On Behalf Of
Nabil Omar
Sent: Monday, October 05, 2009 8:50 AM
To: [email protected]
Cc: [email protected]
Subject: Re: [OSL | CCIE_Security] Transparent firewall with trunking
The reason for using two Vlans I think is a matter of Design , that
is used to avoid bypassing the Firewall .
Because usually in real life you have the Vlans spanned across all
the switches , So if somebody messed the cabling , and for example
connected
the two switches together with a cable , in this case if The INSIDE
and OUTSIDE are in the Same vlan , The user will be able to
communicate with the outside without any restriction (bypassing the
Firewall ) , But if they are in different vlans they will not be
able to communicate Unless through the Firewall , Because it is
Bridging between though two vlans.
That is my opinion , Correct my If I am wrong .
Scenario with Same Vlans on both Sides
switch ---- trunk-------------ASA ------trunk-------------switch
|
|
-----------------------------------------------------------
Wrong Cabled Trunk Link
vlan 2 - 10.20.30.0 vlan 2 -
10.20.30.0
vlan 3 - 20.10.30.0 vlan 3 -
20.10.30.0
Best Regards
Nabil
Date: Mon, 5 Oct 2009 16:50:22 +0530
From: [email protected]
To: [email protected]; [email protected]; [email protected]
CC: [email protected]
Subject: Re: [OSL | CCIE_Security] Transparent firewall with trunking
Thanks to all for your inputs.
I just wanted to do some investigation in my lab before replying.
Various cases
IPS (inline) is transparent and doesn't disturb the setup
switch ---- trunk-------------IPS ------trunk-------------switch
vlan 2 - 10.20.30.0
vlan 2 - 10.20.30.0
vlan 3 - 20.10.30.0
vlan 3 - 20.10.30.0
Switch is transparent and doesn't disturb the setup
switch ---- trunk-------------switch ------trunk-------------switch
vlan 2 - 10.20.30.0
vlan 2 - 10.20.30.0
vlan 3 - 20.10.30.0
vlan 3 - 20.10.30.0
Tranparent firewall ASA requires for vlans
switch ---- trunk-------------ASA ------trunk-------------switch
vlan 2 - 10.20.30.0 vlan 6 -
10.20.30.0
vlan 3 - 20.10.30.0 vlan 7 -
20.10.30.0
I was about to talk about the trunking inspection done by IPS sensor.
With IPS sensor, if you need to monitor the traffic between a trunk
link, you need to just configure an inline pair interface and insert
the two trunk links from the two switches into two interfaces of the
sensor that has been paired. Here I need not disturb the swtich
setup. It is very transparent. If you want, you can use vlan groups
and put each sub-interfaces in different virtual sesnor.
But when it comes to ASA for the above topology where IPS sensor was
placed it, we need to bridge between different vlans.
I am actually aware of that we need different vlans when we put ASA
in between a trunk.
But I am actually searching for a reason from anyone of why did
Cisco implement this way of requiring two vlans and thereby forcing
one of swtiches to their vlan for inserting the ASA in between.
With IPS sensor, the job was easy. With ASA, I need to reconfigure
the vlans on switches.
With IOS router or ASA in routing mode, is it inter-vlan routing
there we definitely need different vlans to route between vlans.
But with transparent firewall, why do we need different vlans for
bridging a subnet. Transparent means plug and play, right?
I just wanted others thoughts on this Cisco's way of implementation
to be sure that I remove the mis-understanding from my mind.
So I have posted this mail here.
With regards
Kings
On Mon, Oct 5, 2009 at 12:06 AM, Paul Stewart <[email protected]>
wrote:
In my opinion, the best example of transparent firewalling in the
way described is vlan pairs on the IPS appliance. The concept of
using transparent Firewall to bridge two VLANs is exactly the same
as using a VLAN pair on an IPS to bridge two vlans. In both cases,
both of the vlans exist in the same layer 3 subnet. However, for
devices in vlan x to talk to devices in vlan y, they must go through
the transparent firewall, just like they would have to go through
the IPS. The IPS simply has a less strictly defined role than that
of a firewall.
_______________________________________________
For more information regarding industry leading CCIE Lab training,
please visit www.ipexpert.com
Keep your friends updated— even when you’re not signed in.
_______________________________________________
For more information regarding industry leading CCIE Lab training,
please visit www.ipexpert.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
