RE: Cisco IPS/Tipping Point OR ASA for InterVLAN security.

From: Travis Niedens (niedentj@hotmail.com)
Date: Sat Feb 28 2009 - 22:28:49 ARST

• Next message: Mohamed Tandou: "Origin Incomplete"
• Previous message: Brian Mahaffey: "Re: DHCP Scope options"
• Maybe in reply to: Monica Belluci: "Cisco IPS/Tipping Point OR ASA for InterVLAN security."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I know Tippingpoint IPS models do support inline IPS; I've configured a
UnityOne 400 previously for inline before and it worked just fine. The
major caveat that any inline solution has is that if the IPS goes bad you
will drop traffic. Other items to be careful with are port configuration
(speed/duplex/auto), throughput (don't try to cram 1Gbps of traffic through
a 100Mbps interface) and turning on trunking and/or channelling when you
don't need to for inline.

Travis

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Tim
Sent: Saturday, February 28, 2009 12:07 PM
To: 'Monica Belluci'; 'Cisco certification'; 'Cisco certification'
Subject: RE: Cisco IPS/Tipping Point OR ASA for InterVLAN security.

Hi Monica,

I think you can solve this problem if your IPS supports inline vlan pairs or
inline interface pairs.

The way this would work is you config your 6500 to connect to your IPS using
a trunk port. The trunk would carry to vlans - the one your servers are in
and a different one for the default-gateway for your servers. This would be
an SVI on the 6500.

The IPS would then bridge these 2 vlans so that the only way for traffic to
get from your servers to your users would be via the IPS.

So, let's say your servers are in subnet 10.1.1.0/24 and on your 6500 you
config an SVI and we'll put it in vlan 99

Here's the config:

int vlan 99
  ip addr 10.1.1.1 255.255.255.0

All your servers are also in this subnet but are in vlan 100.

Therefore, you config all the ports connecting to your servers to be in vlan
100 like this:

int fa0/X
desc connected to a server
swi access vlan 100
swi mode access

Now, the port connected to your IPS is configured as a trunk port like this:

int fa0/Y
desc Connected to IPS
swi trunk encap dot1q
swi trunk allowed vlan 99,100

I think this should work based on the traffic flow.

Let's say there's traffic for server X coming from one of the user vlans.
When that traffic reaches the 6500 routing process, it will see the dest
address is in subnet 10.1.1.0/24 which is directly connected to int vlan 99.

If the mac addr of server X isn't in the arp cache of the 6500, it will arp
for it.

Arp's are sent out as broadcasts so the switching function of the 6500 will
flood the arp our all ports in vlan 99 including the trunk port connected to
the IPS. When the IPS gets the arp packet, it will inspect it if configured
to do so and then send it out the trunk in vlan 100. When the switching
function of the 6500 gets the arp broadcast packet, just like before, it
will flood it out all ports in vlan 100 (except the port on which it
arrived). Thus, the packet gets to server X.

When the server sends it's arp reply, the unicast packet arrives at the 6500
over a port in vlan 100. If the switching function doesn't already know
where to send the packet, it will flood it out all ports in vlan 100
including the trunk connected to the IPS.

The IPS will then forward the packet on the other vlan (vlan 99) over the
trunk back to the 6500 where it reach the SVI, int vlan 99. Then the 6500
will route the packet to the next hop.

So, it seems to me, for traffic to get to or from your servers via your IPS,
deploy your IPS as described above.

HTH, Tim

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Monica Belluci
Sent: Saturday, February 28, 2009 7:03 AM
To: Cisco certification; Cisco certification
Subject: Cisco IPS/Tipping Point OR ASA for InterVLAN security.

Dear All,

I have one small query .
Our network has 11 Vlan(100 to 111) and in One VLAN all servers are located
and remaining 10 VLAN we have Internal Users.
We are using cisco Core switched 6513 with cisco IOS and intervlan routing
is done by sup720 module.
We have Extra Tipping point IPS and want to use it between Alluser VLANs and
Servers VLAN .
is there anyway I can Implement Tipping point IPS or Cisco IPS between Users
and servers , means anyuser send any packets to servers it should go through
First Tipping point or Cisco IPS then to servers.

Int VLANx,IntVlany are directly connected VLAN on sup720 in cisco 6513 .

Users -----Interfaces VLANx-----(Tipping Point IPS or Cisco IPS) -----Int
VLANy------- Servers

OR

Users -----Interfaces VLANx-----CISCO ASA FIREWALL -----Int VLANy-------
Servers

Or is it possible to implement ASA Firewall for InterVLAN security .

Thanks
Monica

Blogs and organic groups at http://www.ccie.net

• Next message: Mohamed Tandou: "Origin Incomplete"
• Previous message: Brian Mahaffey: "Re: DHCP Scope options"
• Maybe in reply to: Monica Belluci: "Cisco IPS/Tipping Point OR ASA for InterVLAN security."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:13 ARST