[Webinar] Streamline your web hosting managementRegister Today


Adding an IPS for protecting traffic between server vlans and workstation vlans

Posted on 2010-03-26
Medium Priority
Last Modified: 2013-11-29
Here is our environment:

I have 2 x 3550 (48 ports, EMI) working as a pair of core switch.  There are 3 x 2950 working as access layer switch.  Each 2950 (24 ports) is connected to both 3550 with STP enabled.

The (host) names of the switches are C3550A, C3550B, C2950A, C2950B and C2950C.

C2950A FastEthernet0/23 is connected to C3550A
C2950A FastEthernet0/24 is connected to C3550B
C2950B FastEthernet0/23 is connected to C3550A
C2950B FastEthernet0/24 is connected to C3550B
C2950C FastEthernet0/23 is connected to C3550A
C2950C FastEthernet0/24 is connected to C3550B

Workstation farm has 3 VLANs, they are VLAN 110, 120 and 130.  Basically, all remaining ports in C2950A are VLAN 110.  Likewise all remaining ports in C2950B are VLAN 120 and all remaining ports in C2950C are VLAN 130.

Server farm has 2 VLANs, they are VLAN 210 and 220.  Servers in server farm has 2 NICs each, one connecting to C3550A and the other connecting to C3550B.

My problem is, if I need to add an in-line mode IPS protecting all traffic from workstation farm to server farm (and from server farm to workstation farm), how should I config the switches to let the traffic between server vlans and workstation vlans are being inspected by an in-line mode IPS?
Question by:wk
  • 3
  • 2
LVL 10

Expert Comment

ID: 28677544
IPS modules are usually placed at the Internet gateway and inspect traffic on that interface so any 'intrusions' are stopped there, but regardless of where they are placed they have to be applied to an interface to inspect traffic.  For the IPS modules in my ASAs I created a service-policy and then applied it to the interface that I wanted to inspect in inline mode.  Are you worried that traffic between your VLANs is compromised in some way?  

Author Comment

ID: 28687881
Dear qbakies,

Thank you for your comments.  My situation is not aimed at protection for Internet/WAN gateway.  In fact, it is a closed environment.  The IPS is not a Cisco solution, in fact, it is one of the leaders in Gartner MQ on Network IPS 2009 (also all Gartner MQ for NIPS since the first release).

A copy can be found at http://www.tippingpoint.com/pdf/analyst/TippingPoint3048.pdf.

I am protecting the traffic from/to server farm via trusted workstation.  That's why I am looking into how I can setup the switch to make use of the in-line inspection IPS.

Anyway, thanks.

William Lee    CISA
Hong Kong
LVL 15

Accepted Solution

Nayyar HH (CCIE RS) earned 2000 total points
ID: 28801630
Look implementing it to brigded between Server VLAN and a Server Gateway VLAN. In your secnraio, you have servers on VLAN 210 and VLAN 220 say subnets  and
Create two new VLANs 211 and 221 move the server default gateways onto these new SVI's e.g. and Finally physically connect IPS OUTSIDE on trunk port truning outside vlans VLAN 211 and 221, while IPS INSIDE port is connected to another trunk port trunking VLAN 210 and 220. This creates the logical tolopogy to enable all traffic to/from for the servers to be inspected by the IPS and then bridged accordingly.

To represent this logically, it would look like this.

SERVER (VL210&220) <------- TRUNK(allowing VL210&220) ------> IPS <------- TRUNK(allowing VL211&221) ------> SVI's (VL211&221)
The eGuide to Automating Firewall Change Control

Today’s IT environment is constantly changing, which affects security policies and firewall rules. Discover tips to help you embrace this change through process improvement & identify areas where automation & actionable intelligence can enhance both security and business agility.


Author Comment

ID: 28877226
Let me check.  If success, I will accept this as solution.

Thanks a lot!

Author Comment

ID: 30274519
Can you help me in providing the commands in IOS?

Thanks a lot.
LVL 15

Assisted Solution

by:Nayyar HH (CCIE RS)
Nayyar HH (CCIE RS) earned 2000 total points
ID: 30297849
As an example this would configure port fa0/24 connecting to IPS as a trunk ports permitting only VLAN 201,202

Conf t
int fa0/24
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 201, 202
write mem


Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Each password manager has its own problems in dealing with certain websites and their login methods. In Part 1, I review the Top 5 Password Managers that I've found to be the best. In Part 2 we'll look at which ones co-exist together and why it'…
Feeling responsible for an unfortunate ransomware infection on my parent's network, persistence paid off as I was able to decrypt a strain of ransomware that was not previously (or at least publicly) cracked. I hope this helps others out there affec…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

640 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question