Re: IPS INLINE VLAN

Hello Carlos,

I want the DMZ zone to be fully redundant i m having pair of devices listed
below and server with 2 NIC, Can u help me out with the same, I have
prepared a topology but attachment are blocked in GS ,,from which website i
can send the topologydiagram.

ASA------>ASA-SW--->DMZ-SW-------->Servers
                                    |
                                  IPS

On Thu, Feb 10, 2011 at 6:05 PM, Carlos G Mendioroz <tron_at_huapi.ba.ar>wrote:

> Yes, that's one way of doing it.
> Keep in mind that as long as you don't have a trunk between the
> switches, you have two different "VLAN" universes.
> I.e. vlan 2 @ ASA-SW has nothing to do with vlan 2 @ DMZ-SW.
> (You better document it and have them match for the same use,
> or you will have a hard time supporting this deployment)
>
> -Carlos
>
> estela Mathew @ 10/02/2011 10:46 -0300 dixit:
>
>> Hello Carlos,
>>
>> Thanks for ur reply, please confirm the steps for my configuration,
>>
>> * Inline vlan pair between vlan 2 and vlan 3 on gig0/0 of IPS
>> * Connect ASA-SW to DMZ-SW via a access link vlan 3 because the
>> servers will be in vlan 2 and the ASA-SW port connecting to DMZ-SW
>> will be in vlan 3.
>>
>> THE TRAFFIC FLOW
>>
>> Please confirm me if it is wrong
>>
>> * From Servers Traffic hitting to Default gateway i.e ASA-DMZ
>> interface
>> * IT will be hitting to vlan 2 on switch the broadcast will be on
>> IPS the mapping of vlan2 and vlan 3 will broadcast on vlan 3 * On
>> vlan 3 ports of DMZ-SW broadcast will receive and will be
>> forwarded to ASA-SW interface and to ASA on vlan 3.
>>
>>
>> Please correct the above steps are correct,Waiting for ur replies friends
>>
>> Thanks
>>
>>
>>
>>
>> On Thu, Feb 10, 2011 at 5:21 PM, Samuel Jack <jacksamuel32_at_gmail.com<mailto:
>> jacksamuel32_at_gmail.com>> wrote:
>>
>> Hello Carlos,
>>
>> Very good Explanation.
>>
>> Can u explore more the below paragraph,i have understood but i want
>> to be more clear,
>>
>>
>> Do you have the same vlans in both switches already ? If not,
>> the link can be an access link joining the ASA-SW DMZ vlan to
>> a DMZ-SW outside vlan. Then create an inside vlan and put
>> both (inside and outside) in a trunk port to the IPS.
>>
>>
>> What i understood from ur above mail is
>>
>> 1. If I wanna go with inline vlan pair then inside and outside
>> interface will be same 2. I have to connect ASA-SW to
>> DMZ-SW .
>>
>>
>>
>> I have only 1 subnet can u explain me the traffic flow??
>>
>>
>>
>> Thanks
>>
>>
>>
>> On Thu, Feb 10, 2011 at 3:31 PM, Carlos G Mendioroz
>> <tron_at_huapi.ba.ar <mailto:tron_at_huapi.ba.ar>> wrote:
>>
>> Estela,
>> if you have to use an inline vlan pair, then inside and outside
>> of the IPS are going to be in the same interface.
>>
>> You say you have two switches, you will have to connect them
>> somehow,
>> so both inside and outside can be vlans of the DMZ-switch.
>>
>> Do you have the same vlans in both switches already ? If not,
>> the link can be an access link joining the ASA-SW DMZ vlan to
>> a DMZ-SW outside vlan. Then create an inside vlan and put
>> both (inside and outside) in a trunk port to the IPS.
>>
>> -Carlos
>>
>> estela Mathew @ 10/02/2011 03:52 -0300 dixit:
>>
>> Hello,
>>
>> Topology:
>>
>> ASA------>ASA-SW------->IPS-------->DMZ-SW-------->Servers
>>
>> I have a DMZ in my ASA i have kept IPS in between the ASA
>> and Servers, I
>> have IPS 4240 i want to configure inline vlan pair,How can i
>> do it,
>>
>> IPS gig0/0 is connected to DMZ-SWITCH and IPS gig0/1 is
>> connected to
>> ASA-SWITCH what will be the vlan pair, I have only 1 subnet
>> in DMZ
>> 192.168.10.0/27 <http://192.168.10.0/27>.
>>
>>
>> Please don't suggest IPS Inline interface pair becz i know
>> it can work
>> easily Customer is insisting me to do inline vlan pairing.
>>
>> I have seen the configuration example from cisco but still i
>> have
>> doubts,Suppose if i create a vlan pair between vlan 1 and
>> vlan 2 on gig0/0
>> then what pairing will be on gig0/1 which is connected to
>> ASA-SW, ihave only
>> 1 subnet in DMZ .
>>
>> Please help
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>> -- Carlos G Mendioroz <tron_at_huapi.ba.ar <mailto:
>> tron_at_huapi.ba.ar>>
>> LW7 EQI Argentina
>>
>>
>>
>>
> --
> Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina

Blogs and organic groups at http://www.ccie.net
Received on Fri Feb 11 2011 - 03:00:14 ART