Re: IPS INLINE VLAN

From: Carlos G Mendioroz <tron_at_huapi.ba.ar>
Date: Thu, 10 Feb 2011 20:58:11 -0300

Don't worry, you
-Carlos

estela Mathew
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> -Carlos
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> know
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> --
>
>
>
>

 -- Carlos G Mendioroz Blogs and organic

Received

This message:

Next message:

Maybe in

Next in

This archive was : Tue Mar 01 2011 - 07:01:50 ART won't be tested on this kind of design... @ 10/02/2011 20:00 -0300 dixit: Hello Carlos, I want the DMZ zone to be fully redundant i m having pair of devices listed below and server with 2 NIC, Can u help me out with the same, I have prepared a topology but attachment are blocked in GS ,,from which website i can send the topologydiagram. ASA------>ASA-SW--->DMZ-SW-------->Servers | IPS On Thu, Feb 10, 2011 at 6:05 PM, Carlos G Mendioroz <tron_at_huapi.ba.ar <mailto:tron_at_huapi.ba.ar>> wrote: Yes, that's one way of doing it. Keep in mind that as long as you don't have a trunk between the switches, you have two different "VLAN" universes. I.e. vlan 2 @ ASA-SW has nothing to do with vlan 2 @ DMZ-SW. (You better document it and have them match for the same use, or you will have a hard time supporting this deployment) estela Mathew @ 10/02/2011 10:46 -0300 dixit: Hello Carlos, Thanks for ur reply, please confirm the steps for my configuration, * Inline vlan pair between vlan 2 and vlan 3 on gig0/0 of IPS * Connect ASA-SW to DMZ-SW via a access link vlan 3 because the servers will be in vlan 2 and the ASA-SW port connecting to DMZ-SW will be in vlan 3. THE TRAFFIC FLOW Please confirm me if it is wrong * From Servers Traffic hitting to Default gateway i.e ASA-DMZ interface * IT will be hitting to vlan 2 on switch the broadcast will be on IPS the mapping of vlan2 and vlan 3 will broadcast on vlan 3 * On vlan 3 ports of DMZ-SW broadcast will receive and will be forwarded to ASA-SW interface and to ASA on vlan 3. Please correct the above steps are correct,Waiting for ur replies friends Thanks On Thu, Feb 10, 2011 at 5:21 PM, Samuel Jack <jacksamuel32_at_gmail.com <mailto:jacksamuel32_at_gmail.com> <mailto:jacksamuel32_at_gmail.com <mailto:jacksamuel32_at_gmail.com>>> wrote: Hello Carlos, Very good Explanation. Can u explore more the below paragraph,i have understood but i want to be more clear, Do you have the same vlans in both switches already ? If not, the link can be an access link joining the ASA-SW DMZ vlan to a DMZ-SW outside vlan. Then create an inside vlan and put both (inside and outside) in a trunk port to the IPS. What i understood from ur above mail is 1. If I wanna go with inline vlan pair then inside and outside interface will be same 2. I have to connect ASA-SW to DMZ-SW . I have only 1 subnet can u explain me the traffic flow?? Thanks On Thu, Feb 10, 2011 at 3:31 PM, Carlos G Mendioroz <tron_at_huapi.ba.ar <mailto:tron_at_huapi.ba.ar> <mailto:tron_at_huapi.ba.ar <mailto:tron_at_huapi.ba.ar>>> wrote: Estela, if you have to use an inline vlan pair, then inside and outside of the IPS are going to be in the same interface. You say you have two switches, you will have to connect them somehow, so both inside and outside can be vlans of the DMZ-switch. Do you have the same vlans in both switches already ? If not, the link can be an access link joining the ASA-SW DMZ vlan to a DMZ-SW outside vlan. Then create an inside vlan and put both (inside and outside) in a trunk port to the IPS. -Carlos estela Mathew @ 10/02/2011 03:52 -0300 dixit: Hello, Topology: ASA------>ASA-SW------->IPS-------->DMZ-SW-------->Servers I have a DMZ in my ASA i have kept IPS in between the ASA and Servers, I have IPS 4240 i want to configure inline vlan pair,How can i do it, IPS gig0/0 is connected to DMZ-SWITCH and IPS gig0/1 is connected to ASA-SWITCH what will be the vlan pair, I have only 1 subnet in DMZ 192.168.10.0/27 <http://192.168.10.0/27> <http://192.168.10.0/27>. Please don't suggest IPS Inline interface pair becz i it can work easily Customer is insisting me to do inline vlan pairing. I have seen the configuration example from cisco but still i have doubts,Suppose if i create a vlan pair between vlan 1 and vlan 2 on gig0/0 then what pairing will be on gig0/1 which is connected to ASA-SW, ihave only 1 subnet in DMZ . Please help Blogs and organic groups at http://www.ccie.net _______________________________________________________________________ Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html -- Carlos G Mendioroz <tron_at_huapi.ba.ar <mailto:tron_at_huapi.ba.ar> <mailto:tron_at_huapi.ba.ar <mailto:tron_at_huapi.ba.ar>>> LW7 EQI Argentina Carlos G Mendioroz <tron_at_huapi.ba.ar <mailto:tron_at_huapi.ba.ar>> LW7 EQI Argentina <tron_at_huapi.ba.ar> LW7 EQI Argentina groups at http://www.ccie.net on Thu Feb 10 2011 - 20:58:11 ART name="navbarfoot" title="Related messages"> [ Message body ] estela Mathew: "Re: IPS INLINE VLAN" message: Bulent BALYEMEZ: "2 Gunde E-TICARET Semineri Sadece 150 TL. // www.alibaba.com un katkılarıyla 19-20 Subat Cumartesi ve Pazar Gunu Istanbul Taksim Gönen Otelde (KATILIMCI SINIRI VARDIR)" reply to: estela Mathew: "IPS INLINE VLAN" thread: estela Mathew: "Re: IPS INLINE VLAN" id="options2">Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ] generated by hypermail 2.2.0