[OSL | CCIE_Security] IPS inline (same vlan)

Tue, 16 Aug 2011 08:04:13 -0700 

Hi,
the answer is evident if you recall that in in-line interface pairing mode
an IPS is doing classical bridging. And bridging together two ports of
the same VLAN
on the _same_ switch creates a bridging loop (if not stopped by STP).

However, there's no problem with "same vlan, same subnet" if each interface
of the pair connects to a _different_ switch. Two scenarios are possible:
          * sw1(access-port in vlan 10) --- IPS --- sw2(access-port in vlan 10)
          * sw1(802.1q port with vlan 10) --- IPS --- sw2(802.1q port
with vlan 10)

The first is trivial - as the ports are access-type, the IPS doesn't
know about VLANs,
and interface pair will work fine; no bridging loop will occur
provided that sw1 and sw2
have no other (direct) connection which carries vlan 10. (Note that in
the typical topology
of the practice labs the two switches are usually interconnected with
a 802.1q link
permitting all vlans; hence, there the loop will still occur if you
don't remove the vlan 10
from the trunk.)
The second scenario requires creating a VLAN group, as Tyson already
mentioned. This VLAN group will carry VLAN10, and is applied to the inline
interface pair. This is probably a more real-life scenario as switches
are usually
interconnected via trunks. To avoid the loop this trunk should be unique, or,
in the oppsite case, the STP must be implemented and configured such
that the link via IPS
would be active for VLAN 10.

p.
======================================================

> From: "Jim Terry" <[email protected]>
> Date: Sun, Aug 14, 2011 9:04 pm
> Subject: [OSL | CCIE_Security] IPS ?
> To: "CCIE Security Maillist" <[email protected]>
>
> Hi all,
>
> Basic question on IPS- when doing an interface pair- do each side of
> the pair have to be same subnet but diff vlans?
>
> If so then how do I do the same subnet and same vlan?
>
> Thanks,.
>
> JT
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to