Link to home
Start Free TrialLog in
Avatar of wk
wkFlag for Hong Kong

asked on

Adding an IPS for protecting traffic between server vlans and workstation vlans

Here is our environment:

I have 2 x 3550 (48 ports, EMI) working as a pair of core switch.  There are 3 x 2950 working as access layer switch.  Each 2950 (24 ports) is connected to both 3550 with STP enabled.

The (host) names of the switches are C3550A, C3550B, C2950A, C2950B and C2950C.

C2950A FastEthernet0/23 is connected to C3550A
C2950A FastEthernet0/24 is connected to C3550B
C2950B FastEthernet0/23 is connected to C3550A
C2950B FastEthernet0/24 is connected to C3550B
C2950C FastEthernet0/23 is connected to C3550A
C2950C FastEthernet0/24 is connected to C3550B

Workstation farm has 3 VLANs, they are VLAN 110, 120 and 130.  Basically, all remaining ports in C2950A are VLAN 110.  Likewise all remaining ports in C2950B are VLAN 120 and all remaining ports in C2950C are VLAN 130.

Server farm has 2 VLANs, they are VLAN 210 and 220.  Servers in server farm has 2 NICs each, one connecting to C3550A and the other connecting to C3550B.

My problem is, if I need to add an in-line mode IPS protecting all traffic from workstation farm to server farm (and from server farm to workstation farm), how should I config the switches to let the traffic between server vlans and workstation vlans are being inspected by an in-line mode IPS?
Avatar of qbakies
qbakies
Flag of United States of America image

IPS modules are usually placed at the Internet gateway and inspect traffic on that interface so any 'intrusions' are stopped there, but regardless of where they are placed they have to be applied to an interface to inspect traffic.  For the IPS modules in my ASAs I created a service-policy and then applied it to the interface that I wanted to inspect in inline mode.  Are you worried that traffic between your VLANs is compromised in some way?  
Avatar of wk

ASKER

Dear qbakies,

Thank you for your comments.  My situation is not aimed at protection for Internet/WAN gateway.  In fact, it is a closed environment.  The IPS is not a Cisco solution, in fact, it is one of the leaders in Gartner MQ on Network IPS 2009 (also all Gartner MQ for NIPS since the first release).

A copy can be found at http://www.tippingpoint.com/pdf/analyst/TippingPoint3048.pdf.

I am protecting the traffic from/to server farm via trusted workstation.  That's why I am looking into how I can setup the switch to make use of the in-line inspection IPS.

Anyway, thanks.

William Lee    CISA
Hong Kong
ASKER CERTIFIED SOLUTION
Avatar of Nayyar HH (CCIE RS)
Nayyar HH (CCIE RS)
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of wk

ASKER

Let me check.  If success, I will accept this as solution.

Thanks a lot!
Avatar of wk

ASKER

Can you help me in providing the commands in IOS?

Thanks a lot.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial