Got the answer but I still wonder why it didn't work for me even when I changed the default vlan other than 1.
Snippet from http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_interfaces.html Inline VLAN Pairs –You cannot pair a VLAN with itself. –You cannot use the default VLAN as one of the paired VLANs in an inline VLAN pair. –For a given sensing interface, a VLAN can be a member of only one inline VLAN pair. However, a given VLAN can be a member of an inline VLAN pair on more than one sensing interface. –The order in which you specify the VLANs in an inline VLAN pair is not significant. –A sensing interface in inline VLAN pair mode can have from 1 to 255 inline VLAN pairs. With regards Kings On Mon, Apr 18, 2011 at 9:30 PM, Bruno <[email protected]> wrote: > Well, try to remove that command and start a packet capture on IPS. Try to > see if at least something from client on vlan1 is reaching the IPS. > Try to ping from vlan23 with packet capture running to see if something > comes back > > > On Mon, Apr 18, 2011 at 12:45 PM, Kingsley Charles < > [email protected]> wrote: > >> Bruno, I tried that too. The thing is that the vlan 1 traffic doesnt enter >> inline vlan interface at all. >> >> With regards >> Kings >> >> >> On Mon, Apr 18, 2011 at 9:13 PM, Bruno <[email protected]> wrote: >> >>> Hey King, >>> >>> Did you limited the trunk for vlan 1 and 23? You may want to take off all >>> other non-used from vlan 1 besides Client and IPS trunk for testing >>> purposes. >>> >>> The command you wrote should be make that for you >>> >>> >>> On Mon, Apr 18, 2011 at 9:50 AM, Tyson Scott <[email protected]>wrote: >>> >>>> Kingsley, >>>> >>>> >>>> >>>> I don't know about the below question. Not without testing but I am >>>> guessing it doesn't like you using VLAN 1. But would need to test to >>>> confirm. >>>> >>>> >>>> >>>> Regards, >>>> >>>> >>>> >>>> Tyson Scott - CCIE #13513 R&S, Security, and SP >>>> Managing Partner / Sr. Instructor - IPexpert, Inc. >>>> Mailto: [email protected] >>>> Telephone: +1.810.326.1444, ext. 208 >>>> Live Assistance, Please visit: www.ipexpert.com/chat >>>> eFax: +1.810.454.0130 >>>> >>>> >>>> >>>> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >>>> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >>>> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >>>> training locations throughout the United States, Europe, South Asia and >>>> Australia. Be sure to visit our online communities at >>>> www.ipexpert.com/communities and our public website at www.ipexpert.com >>>> >>>> >>>> >>>> *From:* [email protected] [mailto: >>>> [email protected]] *On Behalf Of *Jim Terry >>>> *Sent:* Monday, April 18, 2011 7:51 AM >>>> *Cc:* [email protected] >>>> *Subject:* Re: [OSL | CCIE_Security] Inline vlan pair with vlan 1 >>>> >>>> >>>> >>>> Hi all, >>>> >>>> >>>> >>>> I am not familiar with this command: vlan dot1q tag native and the >>>> 3560 config Guide does not explain it in words that I can comprehend. What >>>> does it do? >>>> >>>> >>>> >>>> JT >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Sat, Apr 16, 2011 at 11:01 AM, Kingsley Charles < >>>> [email protected]> wrote: >>>> >>>> Hi all >>>> >>>> I tried to configure inline vlan pair on a sensor pairing vlan 1 and 23. >>>> I enabled 2004 and 2000 signatures.Traffic from 23 was coming in but not >>>> from vlan 1 i.e., it was unidirectional. Since vlan 1 is the native vlan, >>>> it >>>> should have been sent untagged and hence the sensor didn't swap it. Hence I >>>> tried configuring* vlan dot1q tag native *and changing the native vlan >>>> to some other vlan other than 1, still I faced the same issue. >>>> >>>> What could be the problem? >>>> >>>> >>>> With regards >>>> Kings >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> >>> >>> >>> -- >>> Bruno Fagioli (by Jaunty Jackalope) >>> Cisco Security Professional >>> >> >> > > > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
