Adding an IPS for protecting traffic between server vlans and workstation vlans

Here is our environment:

I have 2 x 3550 (48 ports, EMI) working as a pair of core switch.  There are 3 x 2950 working as access layer switch.  Each 2950 (24 ports) is connected to both 3550 with STP enabled.

The (host) names of the switches are C3550A, C3550B, C2950A, C2950B and C2950C.

C2950A FastEthernet0/23 is connected to C3550A
C2950A FastEthernet0/24 is connected to C3550B
C2950B FastEthernet0/23 is connected to C3550A
C2950B FastEthernet0/24 is connected to C3550B
C2950C FastEthernet0/23 is connected to C3550A
C2950C FastEthernet0/24 is connected to C3550B

Workstation farm has 3 VLANs, they are VLAN 110, 120 and 130.  Basically, all remaining ports in C2950A are VLAN 110.  Likewise all remaining ports in C2950B are VLAN 120 and all remaining ports in C2950C are VLAN 130.

Server farm has 2 VLANs, they are VLAN 210 and 220.  Servers in server farm has 2 NICs each, one connecting to C3550A and the other connecting to C3550B.

My problem is, if I need to add an in-line mode IPS protecting all traffic from workstation farm to server farm (and from server farm to workstation farm), how should I config the switches to let the traffic between server vlans and workstation vlans are being inspected by an in-line mode IPS?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

IPS modules are usually placed at the Internet gateway and inspect traffic on that interface so any 'intrusions' are stopped there, but regardless of where they are placed they have to be applied to an interface to inspect traffic.  For the IPS modules in my ASAs I created a service-policy and then applied it to the interface that I wanted to inspect in inline mode.  Are you worried that traffic between your VLANs is compromised in some way?  
wkAuthor Commented:
Dear qbakies,

Thank you for your comments.  My situation is not aimed at protection for Internet/WAN gateway.  In fact, it is a closed environment.  The IPS is not a Cisco solution, in fact, it is one of the leaders in Gartner MQ on Network IPS 2009 (also all Gartner MQ for NIPS since the first release).

A copy can be found at

I am protecting the traffic from/to server farm via trusted workstation.  That's why I am looking into how I can setup the switch to make use of the in-line inspection IPS.

Anyway, thanks.

William Lee    CISA
Hong Kong
Nayyar HH (CCIE RS)Network ArchitectCommented:
Look implementing it to brigded between Server VLAN and a Server Gateway VLAN. In your secnraio, you have servers on VLAN 210 and VLAN 220 say subnets  and
Create two new VLANs 211 and 221 move the server default gateways onto these new SVI's e.g. and Finally physically connect IPS OUTSIDE on trunk port truning outside vlans VLAN 211 and 221, while IPS INSIDE port is connected to another trunk port trunking VLAN 210 and 220. This creates the logical tolopogy to enable all traffic to/from for the servers to be inspected by the IPS and then bridged accordingly.

To represent this logically, it would look like this.

SERVER (VL210&220) <------- TRUNK(allowing VL210&220) ------> IPS <------- TRUNK(allowing VL211&221) ------> SVI's (VL211&221)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

wkAuthor Commented:
Let me check.  If success, I will accept this as solution.

Thanks a lot!
wkAuthor Commented:
Can you help me in providing the commands in IOS?

Thanks a lot.
Nayyar HH (CCIE RS)Network ArchitectCommented:
As an example this would configure port fa0/24 connecting to IPS as a trunk ports permitting only VLAN 201,202

Conf t
int fa0/24
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 201, 202
write mem

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.