Congrats Tyson!!!...let me guess SP??
________________________________ From: Wayne Lawson <[email protected]> To: Tyson Scott <[email protected]> Cc: "<[email protected]>" <[email protected]>; "[email protected]" <[email protected]> Sent: Monday, October 5, 2009 2:24:32 PM Subject: Re: [OSL | CCIE_Security] Transparent firewall with trunking Tyson - Update your signature to reflect your THIRD CCIE! Congrats again! ;-) Regards, Wayne A. Lawson II - CCIE #5244 Founder & President - IPexpert, Inc. Mailto: [email protected] Mobile: +1.810.334.1564 :: Message sent from iPhone. On Oct 5, 2009, at 9:14 AM, "Tyson Scott" <[email protected]> wrote: > >> >Nabil, > >That is right on. The same concept when using the IPS. Just >change ASA to IPS in the middle and the concept is the same for inline or >inline VLAN pair. > >> >Regards, > >Tyson Scott - CCIE #13513 R&S and Security >Technical Instructor - IPexpert, Inc. > >>Telephone: +1.810.326.1444 >>Cell: +1.248.504.7309 >>Fax: +1.810.454.0130 >>Mailto: [email protected] > >Join our free online support and peer group communities: >http://www.IPexpert.com/communities > >IPexpert - The Global Leader in Self-Study, Classroom-Based, >Video On Demand and Audio Certification Training Tools for the Cisco CCIE >R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and >CCIE Storage Lab Certifications. > >> >> >From:[email protected] >>[mailto:[email protected]] On Behalf Of Nabil >Omar >Sent: Monday, October 05, 2009 8:50 AM >To: [email protected] >Cc: [email protected] >Subject: Re: [OSL | CCIE_Security] Transparent firewall with trunking > >The reason for using two Vlans I think is a >matter of Design , that is used to avoid bypassing the Firewall . >>Because usually in real life you have the Vlans spanned across all the >>switches >, So if somebody messed the cabling , and for example connected >>the two switches together with a cable , in this case if The INSIDE and >>OUTSIDE >are in the Same vlan , The user will be able to communicate with the outside >without any restriction (bypassing the Firewall ) , But if they are in >different vlans they will not be able to communicate Unless through the >Firewall , Because it is Bridging between though two vlans. >>That is my opinion , Correct my If I am wrong . > >>Scenario with Same Vlans on both Sides >> > switch >---- trunk-------------ASA ------trunk-------------switch >> | > > >| >> >----------------------------------------------------------- >> >Wrong Cabled Trunk Link >>vlan 2 - >10.20.30.0 >vlan 2 - 10.20.30.0 >>vlan 3 - >20.10.30.0 >vlan 3 - 20.10.30.0 > >>Best Regards >>Nabil > >> ________________________________ > >Date: Mon, 5 Oct 2009 16:50:22 +0530 >>From: [email protected] >>To: [email protected]; [email protected]; [email protected] >>CC: [email protected] >>Subject: Re: [OSL | CCIE_Security] Transparent firewall with trunking >> >Thanks >to all for your inputs. >> > >> >I >just wanted to do some investigation in my lab before replying. >> > >> > > >> >Various >cases >> > >> >IPS >(inline) is transparent and doesn't disturb the setup >> > >> > >> > switch >---- trunk-------------IPS >------trunk-------------switch >> >>vlan 2 - 10.20.30.0 >vlan 2 - 10.20.30.0 >>vlan 3 - >20.10.30.0 >vlan 3 - 20.10.30.0 >> > >> >Switch >is transparent and doesn't disturb the setup >> > >> > >> > switch >---- trunk-------------switch >------trunk-------------switch >> >>vlan 2 - >10.20.30.0 >vlan 2 - 10.20.30.0 >>vlan 3 - >20.10.30.0 > vlan 3 - 20.10.30.0 >> > >> >Tranparent >firewall ASA requires for vlans >> > >> > switch >---- trunk-------------ASA ------trunk-------------switch >> >>vlan 2 - >10.20.30.0 >vlan 6 - 10.20.30.0 >>vlan 3 - >20.10.30.0 >vlan 7 - 20.10.30.0 >> > >> > >> > >> >I >was about to talk about the trunking inspection done by IPS sensor. >> > >> >With >IPS sensor, if you need to monitor the traffic between a trunk link, you need >to just configure an inline pair interface and insert the two trunk links from >the two switches into two interfaces of the sensor that has been paired. >Here I need not disturb the swtich setup. It is very transparent. If you >want, you can use vlan groups and put each sub-interfaces in different virtual >sesnor. >> > >> >But >when it comes to ASA for the above topology where IPS sensor was placed it, we >need to bridge between different vlans. >> > >> >I >am actually aware of that we need different vlans when we put ASA in >between a trunk. >> > >> >But >I am actually searching for a reason from anyone of >why did Cisco implement this way of requiring two vlans and thereby forcing one >of swtiches to their vlan for inserting the ASA in between. >> > >> >With >IPS sensor, the job was easy. With ASA, I need to reconfigure the vlans on >switches. >> > >> >With >IOS router or ASA in routing mode, is it inter-vlan routing there we definitely >need different vlans to route between vlans. >> > >> >But >with transparent firewall, why do we need different vlans for bridging a >subnet. Transparent means plug and play, right? >> > >> >I >just wanted others thoughts on this Cisco's way of implementation to be sure >that I remove the mis-understanding from my mind. >> > >> >So >I have posted this mail here. >> > >> > >> > >> > >> > >> > >> > >> >With >regards >> >Kings >> > >> > > >> >> >On >Mon, Oct 5, 2009 at 12:06 AM, Paul Stewart <[email protected]> wrote: >In my opinion, the best example of >transparent firewalling in the way described is vlan pairs on the IPS >appliance. The concept of using transparent Firewall to bridge two VLANs >is exactly the same as using a VLAN pair on an IPS to bridge two vlans. >In both cases, both of the vlans exist in the same layer 3 subnet. >However, for devices in vlan x to talk to devices in vlan y, they must go >through the transparent firewall, just like they would have to go through the >IPS. The IPS simply has a less strictly defined role than that of a >firewall. > >>_______________________________________________ >>For more information regarding industry leading CCIE Lab training, please >>visit >www.ipexpert.com > >> ________________________________ > >Keep >your friends updated— even when you’re not signed in. _______________________________________________ >For more information regarding industry leading CCIE Lab training, please >visit www.ipexpert.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
