Multiple interfaces on a single IPS sensor can be attached to a single etherchannel group (up to 8 interfaces per group).
Additionally, inline interface pairs can be connected to trunk ports. Cisco IPS is able to track traffic per-VLAN, in this case. Gary The Hacker only has to be right once... Stay Secure! Gary Halleen, CISSP-ISSAP, CHP Consulting Security Engineer Cisco Systems Author, Security Monitoring with CS-MARS, ISBN: 1587052709 On 4/2/09 3:39 AM, "Farrukh Haroon" <[email protected]> wrote: > No, only one interface can be connected to my knowledge (as Inline > VLAN Pair mode uses one interface only and this is the only supported > deployment model in ECLB). > > Regards > > Farrukh > > On Thu, Apr 2, 2009 at 1:21 PM, Burak Dikici <[email protected]> wrote: >> >> Hello Farrukh , >> >> What do you say about this question ? >> >> "Can I have ONE IPS with three or four inline mode ports attached to the same >> switch in an etherchannel ?" I am talking about one IPS with multiple >> interfaces. For example two IPS with four interfaces in the switch's >> etherchannel group with eigth ports. Thank you. >> >> Burak >> >> >> >> On Thu, Apr 2, 2009 at 12:56 PM, Farrukh Haroon <[email protected]> >> wrote: >>> >>> Hello Burac >>> >>> 1) The ECLB feature allows you to load balance upto eight Cisco IPS >>> Sensors connected to the 'same' chassis. So YES you can connect more >>> than one sensor to the same switch (using a separate port/interface >>> for each sensor). All ports will be part of the same etherchannel >>> group. This is also stated clearly in the link you provided: >>> >>> The IPS appliances must be in on-a-stick mode (INLINE VLAN PAIR), >>> meaning that the IPS appliance can only use one sensing port on that >>> Catalyst switch. That port is trunked so that the IPS appliance has an >>> inbound and outbound path to and from the switch. >>> Up to eight ports can be defined in an EtherChannel. This means that >>> you can add up to eight IPS appliances on a single Catalyst switch. >>> >>> 2) The 'Inline Interface Pair' feature requires that the ports to >>> which the IPS is connected should be access ports and NOT trunk ports. >>> >>> Regards >>> >>> Farrukh Haroon >>> CCIE # 20184 (Security) >>> >>> >>> >>> On Wed, Apr 1, 2009 at 3:46 PM, <[email protected]> wrote: >>>> Hello , >>>> >>>> I have got two core switches. They are running redundant with HSRP. One of >>>> them is hsrp active and spanning tree root for all vlans , the other is >>>> hsrp >>>> passive and spanning tree secondary for all vlans. I have got a server vlan >>>> which i would like to inspect traffic to this vlan from all other user >>>> vlans. All servers are connected to the backbone switches via another >>>> aggregation switches. We have got 6 aggragation swtiches and all of them >>>> are >>>> connected to the backbone switches via 1 gigabit f/o uplinks. Because of >>>> that , i need 6 gbps throghput for the IPS system which will protect the >>>> server VLAN. >>>> Which topology do you recommend for this purpose ? Should i use another >>>> switches to connect all IPS devices to the backbone switches ? Or should i >>>> connect IPS devices directly to the backbone switches ? Which one is more >>>> preferrable for performance and redundancy ? >>>> >>>> Another question is ; >>>> I saw the message which is written below in this address ; >>>> http://cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_ex >>>> ample09186a0080671a8d.shtml >>>> ³The IPS appliances must be in on-a-stick mode, meaning that the IPS >>>> appliance can only use one sensing port on that Catalyst switch. That port >>>> is trunked so that the IPS appliance has an inbound and outbound path to >>>> and >>>> from the switch.² >>>> My question is ; >>>> Can I have one IPS with three or four ports attached to the same switch in >>>> an etherchannel? >>>> >>>> >>>> The last question ; >>>> Is it possible to configure the Cisco IPS like the topology below ? SW1's >>>> and SW2's connection ports to the IPS is in trunk mode. I would like to >>>> configure the IPS in inline interface pairing mode. ( not vlan pairing mode >>>> ) >>>> >>>> >>>> SW1-----------IPS-----------SW2 >>>> >>>> >>>> >>>> >>>> Kind Regards... >>>> >>>> Burak Dikici >>>> >>>> >>>> >> > >
