Correct, but that is only if the IPS interfaces are connected to interfaces on a the same switch. If the IPS interfaces are connected to two different switches, then the interfaces can be trunk ports.
Gary On 4/3/09 2:38 PM, "Farrukh Haroon" <[email protected]> wrote: > http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_i > nterfaces.html#wp1033986 > > "If the paired interfaces are connected to the same switch, you should > configure them on the switch as access ports with different access > VLANs for the two ports. Otherwise, traffic does not flow through the > inline interface. " > > Regards > > Farrukh > > On Fri, Apr 3, 2009 at 11:24 PM, Gary Halleen <[email protected]> wrote: >> Multiple interfaces on a single IPS sensor can be attached to a single >> etherchannel group (up to 8 interfaces per group). >> >> Additionally, inline interface pairs can be connected to trunk ports. Cisco >> IPS is able to track traffic per-VLAN, in this case. >> >> Gary >> >> >> The Hacker only has to be right once... >> >> Stay Secure! >> >> >> Gary Halleen, CISSP-ISSAP, CHP >> Consulting Security Engineer >> Cisco Systems >> Author, Security Monitoring with CS-MARS, ISBN: 1587052709 >> >> >> >> On 4/2/09 3:39 AM, "Farrukh Haroon" <[email protected]> wrote: >> >>> No, only one interface can be connected to my knowledge (as Inline >>> VLAN Pair mode uses one interface only and this is the only supported >>> deployment model in ECLB). >>> >>> Regards >>> >>> Farrukh >>> >>> On Thu, Apr 2, 2009 at 1:21 PM, Burak Dikici <[email protected]> wrote: >>>> >>>> Hello Farrukh , >>>> >>>> What do you say about this question ? >>>> >>>> "Can I have ONE IPS with three or four inline mode ports attached to the >>>> same >>>> switch in an etherchannel ?" I am talking about one IPS with multiple >>>> interfaces. For example two IPS with four interfaces in the switch's >>>> etherchannel group with eigth ports. Thank you. >>>> >>>> Burak >>>> >>>> >>>> >>>> On Thu, Apr 2, 2009 at 12:56 PM, Farrukh Haroon <[email protected]> >>>> wrote: >>>>> >>>>> Hello Burac >>>>> >>>>> 1) The ECLB feature allows you to load balance upto eight Cisco IPS >>>>> Sensors connected to the 'same' chassis. So YES you can connect more >>>>> than one sensor to the same switch (using a separate port/interface >>>>> for each sensor). All ports will be part of the same etherchannel >>>>> group. This is also stated clearly in the link you provided: >>>>> >>>>> €The IPS appliances must be in on-a-stick mode (INLINE VLAN PAIR), >>>>> meaning that the IPS appliance can only use one sensing port on that >>>>> Catalyst switch. That port is trunked so that the IPS appliance has an >>>>> inbound and outbound path to and from the switch. >>>>> €Up to eight ports can be defined in an EtherChannel. This means that >>>>> you can add up to eight IPS appliances on a single Catalyst switch. >>>>> >>>>> 2) The 'Inline Interface Pair' feature requires that the ports to >>>>> which the IPS is connected should be access ports and NOT trunk ports. >>>>> >>>>> Regards >>>>> >>>>> Farrukh Haroon >>>>> CCIE # 20184 (Security) >>>>> >>>>> >>>>> >>>>> On Wed, Apr 1, 2009 at 3:46 PM, <[email protected]> wrote: >>>>>> Hello , >>>>>> >>>>>> I have got two core switches. They are running redundant with HSRP. One >>>>>> of >>>>>> them is hsrp active and spanning tree root for all vlans , the other is >>>>>> hsrp >>>>>> passive and spanning tree secondary for all vlans. I have got a server >>>>>> vlan >>>>>> which i would like to inspect traffic to this vlan from all other user >>>>>> vlans. All servers are connected to the backbone switches via another >>>>>> aggregation switches. We have got 6 aggragation swtiches and all of them >>>>>> are >>>>>> connected to the backbone switches via 1 gigabit f/o uplinks. Because of >>>>>> that , i need 6 gbps throghput for the IPS system which will protect the >>>>>> server VLAN. >>>>>> Which topology do you recommend for this purpose ? Should i use another >>>>>> switches to connect all IPS devices to the backbone switches ? Or should >>>>>> i >>>>>> connect IPS devices directly to the backbone switches ? Which one is more >>>>>> preferrable for performance and redundancy ? >>>>>> >>>>>> Another question is ; >>>>>> I saw the message which is written below in this address ; >>>>>> http://cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_ >>>>>> ex >>>>>> ample09186a0080671a8d.shtml >>>>>> ³The IPS appliances must be in on-a-stick mode, meaning that the IPS >>>>>> appliance can only use one sensing port on that Catalyst switch. That >>>>>> port >>>>>> is trunked so that the IPS appliance has an inbound and outbound path to >>>>>> and >>>>>> from the switch.² >>>>>> My question is ; >>>>>> Can I have one IPS with three or four ports attached to the same switch >>>>>> in >>>>>> an etherchannel? >>>>>> >>>>>> >>>>>> The last question ; >>>>>> Is it possible to configure the Cisco IPS like the topology below ? >>>>>> SW1's >>>>>> and SW2's connection ports to the IPS is in trunk mode. I would like to >>>>>> configure the IPS in inline interface pairing mode. ( not vlan pairing >>>>>> mode >>>>>> ) >>>>>> >>>>>> >>>>>> SW1-----------IPS-----------SW2 >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Kind Regards... >>>>>> >>>>>> Burak Dikici >>>>>> >>>>>> >>>>>> >>>> >>> >>> >> >>
