I know this is an older question in response to the question below, especially considering it is about OEQs but I thought I would add something.
http://www.onlinestudylist.com/archives/ccie_security/2011-August/027594.html I think Yusef's answer is correct in that only Inline VLAN Pair would work but not for reason mentioned. VLAN Groups as far as I understand them actually require two interfaces on the IPS with a different switch connected to each IPS interface. Correct me if I am wrong, but VLAN groups pair VLAN a, b and c on interface one with VLAN a, b and c respectively on interface two. Because the VLANs paired do infact have the same VLAN ID, they must exist on different switches which therefore requires two interfaces on the IPS. If the VLANs being bridged in VLAN group mode were on the same switch the IPS wouldn't be able to bridge them as the communications would stay on the switch because the IPS is bridging a VLAN ID with itself. The fact that the IPS bridges VLANs in Inline VLAN pair mode that have different VLAN IDs, i.e pair VLAN a to b and VLAN c to d, the traffic must travel via the IPS in order to pass between VLANs even though they are on the same switch. This allows only Inline VLAN pair mode to work with a single interface. As I said, this is not relevent these days with OEQs being EOL but I thought it may add to the general discussion. Thanks Ben You are correct. But when using vlan group, you configure sub-interfaces but the task just talks about physical interface. May be this can justify the given answer. With regards Kings On Tue, Aug 2, 2011 at 6:25 AM, Bruno <bruno.gimenez at gmail.com <http://onlinestudylist.com/mailman/listinfo/ccie_security>> wrote: >* *Question:**>* If the Cisco IPS sensor hardware had only one physical >sensing interface,*>* which mode could be used to perform monitoring and what >protocol is used on*>* the Catalyst switch to support this scenario?*>**>* >*Correct Answer:**>* Inline VLAN pair mode using 802.1q trunk port on the >switch*>**>**>* Why not vlan group interfaces which can be achieved by one >interface and*>* trunk on switches as well?*>**>* --*>* Bruno Fagioli*>* Cisco >Security Professional*>**>* _______________________________________________*>* >For more information regarding industry leading CCIE Lab training, please*>* >visit www.ipexpert.com*>**>* Are you a CCNP or CCIE and looking for a job? >Check out*>* www.PlatinumPlacement.com*>**-------------- next part >-------------- An HTML attachment was scrubbed... URL: </archives/ccie_security/attachments/20110802/089cf15a/attachment.html>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
