Re: [OSL | CCIE_Security] Transparent firewall with trunking

[Kingsley Charles]

Congrats Tyson for becoming Triple CCIE.


With regards
Kings

On Mon, Oct 5, 2009 at 6:57 PM, 'Segun Daini <segunda...@yahoo.com> wrote:

>  Congrats Tyson!!!...let me guess SP??
>
>  ------------------------------
> *From:* Wayne Lawson <groupst...@ipexpert.com>
> *To:* Tyson Scott <tsc...@ipexpert.com>
> *Cc:* "<kingsley.char...@gmail.com>" <kingsley.char...@gmail.com>; "
> ccie_security@onlinestudylist.com" <ccie_security@onlinestudylist.com>
> *Sent:* Monday, October 5, 2009 2:24:32 PM
>
> *Subject:* Re: [OSL | CCIE_Security] Transparent firewall with trunking
>
> Tyson - Update your signature to reflect your THIRD CCIE!
>
> Congrats again! ;-)
>
> Regards,
> Wayne A. Lawson II - CCIE #5244
> Founder & President - IPexpert, Inc.
> Mailto: <wlaw...@ipexpert.com>wlaw...@ipexpert.com
> Mobile: +1.810.334.1564
>
> :: Message sent from iPhone.
>
> On Oct 5, 2009, at 9:14 AM, "Tyson Scott" <tsc...@ipexpert.com> wrote:
>
>   Nabil,
>
>
>
> That is right on.  The same concept when using the IPS.  Just change ASA to
> IPS in the middle and the concept is the same for inline or inline VLAN
> pair.
>
>
>
> Regards,
>
>
>
> Tyson Scott - CCIE #13513 R&S and Security
>
> Technical Instructor - IPexpert, Inc.
>
>
> Telephone: +1.810.326.1444
> Cell: +1.248.504.7309
> Fax: +1.810.454.0130
> Mailto:  <tsc...@ipexpert.com>tsc...@ipexpert.com
>
>
>
> Join our free online support and peer group communities:
> http://www.IPexpert.com/communities <http://www.ipexpert.com/communities>
>
>
>
> IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On
> Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab,
> CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE
> Storage Lab Certifications.
>
>
>
> *From:* ccie_security-boun...@onlinestudylist.com [mailto:
> ccie_security-boun...@onlinestudylist.com] *On Behalf Of *Nabil Omar
> *Sent:* Monday, October 05, 2009 8:50 AM
> *To:* <kingsley.char...@gmail.com>kingsley.char...@gmail.com
> *Cc:* <ccie_security@onlinestudylist.com>ccie_security@onlinestudylist.com
> *Subject:* Re: [OSL | CCIE_Security] Transparent firewall with trunking
>
>
>
> The reason for using two Vlans I think is a matter of Design , that is used
> to avoid bypassing the Firewall .
> Because usually in real life you have the Vlans spanned across all the
> switches , So if somebody messed the cabling , and for example connected
> the two switches together with a cable , in this case if The INSIDE and
> OUTSIDE are in the Same vlan , The user will be able to communicate with the
> outside without any restriction (bypassing the Firewall ) , But if they are
> in different vlans they will not be able to communicate Unless through the
> Firewall , Because it is Bridging between though two vlans.
> That is my opinion , Correct my If I am wrong .
>
> Scenario with Same Vlans on both Sides
>
>  switch ---- trunk-------------ASA ------trunk-------------switch
>        |
>                                                          |
>         -----------------------------------------------------------
>                                   Wrong Cabled Trunk Link
> vlan 2 - 10.20.30.0                                            vlan 2 -
> 10.20.30.0
> vlan 3 - 20.10.30.0                                            vlan 3 -
> 20.10.30.0
>
> Best Regards
> Nabil
>
>
>  ------------------------------
>
> Date: Mon, 5 Oct 2009 16:50:22 +0530
> From: <kingsley.char...@gmail.com>kingsley.char...@gmail.com
> To: pestew...@gmail.com; tsc...@ipexpert.com; <segunda...@yahoo.com>
> segunda...@yahoo.com
> CC: <ccie_security@onlinestudylist.com>ccie_security@onlinestudylist.com
> Subject: Re: [OSL | CCIE_Security] Transparent firewall with trunking
>
> Thanks to all for your inputs.
>
>
>
> I just wanted to do some investigation in my lab before replying.
>
>
>
>
>
> *Various cases*
>
>
>
> *IPS (inline) is transparent and doesn't disturb the setup*
>
>
>
>
>
>  switch ---- trunk-------------*IPS* ------trunk-------------switch
>
> vlan 2 - 10.20.30.0                                               vlan 2 -
> 10.20.30.0
> vlan 3 - 20.10.30.0                                                vlan 3 -
> 20.10.30.0
>
>
>
> *Switch is transparent and doesn't disturb the setup*
>
>
>
>
>
>  switch ---- trunk-------------*switch* ------trunk-------------switch
>
> vlan 2 - 10.20.30.0                                               vlan 2 -
> 10.20.30.0
> vlan 3 - 20.10.30.0                                               vlan 3 -
> 20.10.30.0
>
>
>
> *Tranparent firewall ASA requires for vlans*
>
>
>
>  switch ---- trunk-------------ASA ------trunk-------------switch
>
> vlan 2 - 10.20.30.0                                            vlan 6 -
> 10.20.30.0
> vlan 3 - 20.10.30.0                                            vlan 7 -
> 20.10.30.0
>
>
>
>
>
>
>
> I was about to talk about the trunking inspection done by IPS sensor.
>
>
>
> With IPS sensor, if you need to monitor the traffic between a trunk link,
> you need to just configure an inline pair interface and insert the two trunk
> links from the two switches into two interfaces of the sensor that has been
> paired.  Here I need not disturb the swtich setup. It is very transparent.
> If you want, you can use vlan groups and put each sub-interfaces in
> different virtual sesnor.
>
>
>
> But when it comes to ASA for the above topology where IPS sensor was placed
> it, we need to bridge between different vlans.
>
>
>
> I am actually aware of that we need different vlans when we put ASA in
> between a trunk.
>
>
>
> But I am actually searching for a reason from anyone of why did Cisco
> implement this way of requiring two vlans and thereby forcing one of
> swtiches to their vlan for inserting the ASA in between.
>
>
>
> With IPS sensor, the job was easy. With ASA, I need to reconfigure the
> vlans on switches.
>
>
>
> With IOS router or ASA in routing mode, is it inter-vlan routing there we
> definitely need different vlans to route between vlans.
>
>
>
> But with transparent firewall, why do we need different vlans for bridging
> a subnet. Transparent means plug and play, right?
>
>
>
> I just wanted others thoughts on this Cisco's way of implementation to be
> sure that I remove the mis-understanding from my mind.
>
>
>
> So I have posted this mail here.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> With regards
>
> Kings
>
>
>
>
>
>
>
> On Mon, Oct 5, 2009 at 12:06 AM, Paul Stewart < <pestew...@gmail.com>
> pestew...@gmail.com> wrote:
>
> In my opinion, the best example of transparent firewalling in the way
> described is vlan pairs on the IPS appliance.  The concept of using
> transparent Firewall to bridge two VLANs is exactly the same as using a VLAN
> pair on an IPS to bridge two vlans.  In both cases, both of the vlans exist
> in the same layer 3 subnet.  However, for devices in vlan x to talk to
> devices in vlan y, they must go through the transparent firewall, just like
> they would have to go through the IPS.  The IPS simply has a less strictly
> defined role than that of a firewall.
>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit <http://www.ipexpert.com/>www.ipexpert.com
>
>
>  ------------------------------
>
> Keep your friends updated— even when you’re not signed 
> in.<http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_5:092010>
>
>  _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit <http://www.ipexpert.com/>www.ipexpert.com
>
>
>

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com