inline interfaces vs inline vlans

livenliven Posts: 918Member
I am trying to wrap my head around these concepts.

I have been using the IPS in the ASA, and it can act like inline pairs even though it really physically is more like a single interface in promisc mode.


Anyway on the bigger sensors the 42xx, I am trying to understand inline VLAN pairs. To me this sounds kinda like intervlan routting or a router on a stick kinda thing.... Am I correct in this assumption?

Like if a i had a switch, made 2 vlans, vlan10 and vlan20. Then basically the the IPS interface connected to the switch acts like a trunk and allows the two vlans to talk to each other?
encrypt the encryption, never mind my brain hurts.

Comments

  • dtlokeedtlokee Posts: 2,381Member
    Yes but the sensor interface operates as a layer 2 interface with no IP addresses so it's not a router but more of a transparent switch. As the traffic is forwarded through the sensor it is inspected on all 7 layers as required by the signatures. When you configure a sensor and your nework like this the 2 VLANS in the VLAN pair will be the same broadcast domain (essentially bridged together by the sensor) and will have the same subnet address.
    The only easy day was yesterday!
  • livenliven Posts: 918Member
    I love you man!



    Ok,


    But if configure 2 interfaces to operate in inline interface mode, the interfaces have IP addresses?

    And do the interfaces act as the gateway for devices directly connected? Or does it act more like a network tap?
    encrypt the encryption, never mind my brain hurts.
  • livenliven Posts: 918Member
    and when I do the vlan pair config, do both VLANS (vlans 10 and 20 in my example) have to be in the same subnet?

    You say it acts at layer 2 as a transparent switch, so I guess no routing can be performed, so both vlans would have to be in the same subnet....?

    If this is the case, what is the advantage over the VLAN pairs compared to just inline interfaces?
    encrypt the encryption, never mind my brain hurts.
  • dtlokeedtlokee Posts: 2,381Member
    Any sort of inline pair acts as if it were a L2 device (so no ip addressing and no rotuing). This allows the sensor to act as a transparent device (sometimes called "stealth mode" or "bump in the wire" because they are there but no one knows about them) and it will inspect the traffic flowing through it. Typically for optimum effectiveness you will want to put the devices on one interface and the connection upstream on another interface (or VLANs if using VLAN pairs)
    The only easy day was yesterday!
  • livenliven Posts: 918Member
    Ok thanks man...

    Going to mess around with this some more.


    I think I pretty much have it all straight in my head.


    Thanks again
    encrypt the encryption, never mind my brain hurts.
Sign In or Register to comment.