Re: Configuring Cisco IPS High Bandwidth Using EtherChannel Load Balancing

http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_interfaces.html#wp1033986

"If the paired interfaces are connected to the same switch, you should
configure them on the switch as access ports with different access
VLANs for the two ports. Otherwise, traffic does not flow through the
inline interface. "

Regards

Farrukh

On Fri, Apr 3, 2009 at 11:24 PM, Gary Halleen <ghalleen@xxxxxxxxx> wrote:
Multiple interfaces on a single IPS sensor can be attached to a single
etherchannel group (up to 8 interfaces per group).

Additionally, inline interface pairs can be connected to trunk ports.  Cisco
IPS is able to track traffic per-VLAN, in this case.

Gary


The Hacker only has to be right once...

Stay Secure!


Gary Halleen, CISSP-ISSAP, CHP
Consulting Security Engineer
Cisco Systems
Author, Security Monitoring with CS-MARS, ISBN: 1587052709



On 4/2/09 3:39 AM, "Farrukh Haroon" <farrukhharoon@xxxxxxxxx> wrote:

No, only one interface can be connected to my knowledge (as Inline
VLAN Pair mode uses one interface only and this is the only supported
deployment model in ECLB).

Regards

Farrukh

On Thu, Apr 2, 2009 at 1:21 PM, Burak Dikici <bdikici@xxxxxxxxx> wrote:

Hello Farrukh ,

What do you say about this question ?

"Can I have ONE IPS with three or four inline mode ports attached to the same
switch in an etherchannel ?"  I am talking about one IPS with multiple
interfaces. For example two IPS with four interfaces in the switch's
etherchannel group with eigth ports.   Thank you.

Burak



On Thu, Apr 2, 2009 at 12:56 PM, Farrukh Haroon <farrukhharoon@xxxxxxxxx>
wrote:

Hello Burac

1) The ECLB feature allows you to load balance upto eight Cisco IPS
Sensors connected to the 'same' chassis. So YES you can connect more
than one sensor to the same switch (using a separate port/interface
for each sensor). All ports will be part of the same etherchannel
group. This is also stated clearly in the link you provided:

€The IPS appliances must be in on-a-stick mode (INLINE VLAN PAIR),
meaning that the IPS appliance can only use one sensing port on that
Catalyst switch. That port is trunked so that the IPS appliance has an
inbound and outbound path to and from the switch.
€Up to eight ports can be defined in an EtherChannel. This means that
you can add up to eight IPS appliances on a single Catalyst switch.

2) The 'Inline Interface Pair' feature requires that the ports to
which the IPS is connected should be access ports and NOT trunk ports.

Regards

Farrukh Haroon
CCIE # 20184 (Security)



On Wed, Apr 1, 2009 at 3:46 PM,  <bdikici@xxxxxxxxx> wrote:
Hello ,

 I have got two core switches. They are running redundant with HSRP. One of
them is hsrp active and spanning tree root for all vlans , the other is
hsrp
passive and spanning tree secondary for all vlans. I have got a server vlan
which i would like to inspect traffic to this vlan from all other user
vlans. All servers are connected to the backbone switches via another
aggregation switches. We have got 6 aggragation swtiches and all of them
are
connected to the backbone switches via 1 gigabit f/o uplinks. Because of
that , i need 6 gbps throghput for the IPS system which will protect the
server VLAN.
 Which topology do you recommend for this purpose ? Should i use another
switches to connect all IPS devices to the backbone switches ? Or should i
connect IPS devices directly to the backbone switches ? Which one is more
preferrable for performance and redundancy ?

Another question is ;
I saw the message which is written below in this address ;
http://cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_ex
ample09186a0080671a8d.shtml
³The IPS appliances must be in on-a-stick mode, meaning that the IPS
appliance can only use one sensing port on that Catalyst switch. That port
is trunked so that the IPS appliance has an inbound and outbound path to
and
from the switch.²
My question is ;
Can I have one IPS with three or four ports attached to the same switch in
an etherchannel?


The last question ;
 Is it possible to configure the Cisco IPS like the topology below ? SW1's
and SW2's connection ports to the IPS is in trunk mode. I would like to
configure the IPS in inline interface pairing mode. ( not vlan pairing mode
)


SW1-----------IPS-----------SW2




Kind Regards...

Burak Dikici









Loading