Looks like I found recommendations on the switch side that IPS does not
support LACP or PaGP and to set the mode = on for no negotiation. However
on the IPS side what should be done for load balancing to the same IPS.
My guess is to create additional VLAN Group for the new interface and
assign same vlans as the existing interface then tie the assignment that to
the same virtual sensor.
On Tue, May 7, 2013 at 1:06 PM, Johnny Morris <johnnymorris01_at_gmail.com>wrote:
> Hello,
>
> I have an 4270 IPS that hangs off of the 6500 core switch along with a
> pair of Virtual firewall that hang off the core switch as well, in which
> each customer has its own context FW. We have several customer VLANs off
> the 6500 which are part of the inside interface of the VFW's. We have a
> SPAN setup for the source as the inside VLANs going to destination
> interface of the 4270. Within the IPS we have VLAN pairs setup to receive
> the traffic on the VLANs and it is working fine. Also we have a virtual
> sensor setup for customer vlan traffic.
>
> We are working on upgrading the IPS software and signatures so that it is
> up to date and removing the SPAN temp until we have it up to date. As of
> now there is only 1 interface from the IPS to the core switch. Are there
> any capabilities to port-channel the IPS to the core to increase load
> capacity? Right now checking interface i see about 350 Mbps being sent
> output to the IPS from the core, With more customers we add in the future I
> would like to port-channel if capable.
>
> Sorry, I am a routing/switching guy and just getting forced into security
> : )
>
> Any recommendations to get me to the right place is much appreciated.
Blogs and organic groups at http://www.ccie.net
Received on Tue May 07 2013 - 13:19:46 ART
This archive was generated by hypermail 2.2.0 : Mon Jun 03 2013 - 06:34:34 ART