The switch configuration of 6500 catalyst for IPS Inline the METHOD works
I understand how to configure the switch Catalyst 6500 so that the monitoring of ports are access ports in two VLAN separate operation online.
However, I don't see any document that describes how the desired VLAN traffic gets forced through the IPS.
"Promiscuous" mode, you can use copy/capture VACL and forwards traffic wished the METHOD of analysis. I don't see how to get traffic desired through the IPS.
Note that the 6500 host is running native SXE IOS 12.2 (18).
Thanks for any help.
A transparent firewall is a pretty good comparison.
Say you have vlan 10 with 100 PCs and 1 router for the network.
If you want to apply a transparent firewall on this vlan you can put not just the Firewall interface on vlan 10. Nothing would go through the firewall.
Instead, you need to create a new vlan, say 1010. Now you place the Firewall interface on vlan 10 and the other on the vlan 1010. Nothing is still going through the firewall. So now move you that router from vlan 10 to vlan 1010. Everything you do is to change the vlan, IP address and the mask of the router remain the same.
The firewall transparent bridge vlan 10 and vlan 1010. The SCP on the vlan 10 ae is able to communicate and through the router, but must go through the transparent firewall to do.
The firewall is transparent because there no IP Route between 2 VLANS, instead, the same IP subnet is on the VLAN and the transparent firewall ensuring the beidges between the 2 VLANS.
The transparent firewall can do firewall between the SCP on the vlan 10 and the router on vlan 1010. But PC has vlan 10 talks for PC B on vlan 10, then the transparent firewall does not see and cannot block this traffic.
An InLine sensor is very similar to the transparent firewall and will fill between the 2 VLANS. And similarly an InLine sensor is able to monitor InLine between PCs traffic on vlan 10 and the router on vlan 1010, but will not be able to monitor the traffic between 2 PCs on vlan 10.
Now the PC on the other vlan and the router on a virtual LAN is a classic deployment for the sensors online, but your VLAN need not be divided in this way. You can choose to place some servers in one vlan and desktop to another vlan. You subdivide them VLAN to whatever the logical method for your deployment.
Now for the surveillance of several VLANs the same principle still applies. You can't control traffic between machines on the same vlan. So for each the VLAN that you want to analyze, you will need to create a new vlan and divide the machines between the 2 VLANS.
In your case with Native IOS, you are limited to only 1 pair of VLAN for InLine followed, but your desired deployment would require 20 pairs of vlan.
The IPS 5.1 software now has the ability to manage the 20 pairs, but the native IOS software doesn't have the ability to send the 40 VLAN (20 pairs) to the JOINT-2.
Changes in native IOS are in testing right now, but I have not heard a release date for these changes.
Now cat BONES has already made these changes. So here is a breakdown of basic of what you could do in the BONE of cat and you can use to prepare for a deployment native IOS when it came out.
For VLAN 10-20 and 300-310, you want monitored, you will need to break each of those VLANs in VLAN 2.
Let's say that keep us it simple and add 500 to each vlan in order to create the new VLAN for each pair.
Therefore, the following pairs:
10/510, 511/11, 12/512, etc...
300/800, 801/301, 302/802, etc...
You configure the port to probe trunk all 40 VLAN:
set the trunk 5/7 10-20 300-310 510-520 800-810
(And then clear all other vlans off this trunk to clean things up)
In the configuration of JOINT-2 create the 20 pairs of vlan inline on interface GigabitEthernet0/7
NW on each of VLAN original 20 leave the default router for each LAN virtual vlan original to the vlan 500 +.
At this point, you should be good to go. The JOINT-2 will not track traffic that remains inside each of the 20 VLAN original, but would monitor the traffic is routed in and out of each of the 20 VLAN.
Due to a bug of switch, you may need to have an extra PC moved to the same vlan as the router if the switch/MSFC is used as the router and that you deploy with a JOINT-2.
Tags: Cisco Security
Similar Questions
-
LAG does not not after more Guide of switch Configuration for EqualLogic San steps in the document.
We use the information provided in the following document: i.dell.com/.../dell-networking-n4000-series-switch-configuration-guide-for-equallogic-sans.pdf
We have two switches of N4032F which are stacked and followed almost word for Word from this document. We do not use DCB. We are trying to set up a SHIFT and follow-up step 2.11 in the document, but it seems that the SHIFT does not work.
Switch 1:
serial interface fortygigabitethernet 1/1/1-2
No spanning tree portfast
active in mode channel-group 1
Switch 2:
interface series fortygigabitethernet 2/1/1-2
No spanning tree portfast
active in mode channel-group 2
However, when it was discovered after changing these settings it shows them as being inactive.
Can someone please help?
Thank you
Jeff
Thanks for the additional information. When the switches are stacked, they act as a logical switch. Then when you plug with an OFFSET you are basically creating a loop and hook up a switch on himself. Desempilement switches and just use the OFFSET for the interconnection of the switch and you should see the GAL go active.
-
The virtual switch configuration
Hello
I configured Vswitch on ESX4.0 connected with a teddy bear.
There are Cisco catalyst 4503 L3 switch configured with several VLANS at the other end. I have configured the switch port trunk with dot1q encap mode that ends on the ESX4.0 server. Service console is configured with IP default VLAN, which is accessible from the other VIRTUAL networks. One of the virtual machine with Win2k3 OS is installed, but after configuration, I am not able to ping default gateway of VLAN respective or any other property intellectual VLAN.
Can anyone guide me where I go wrong and how to correct the problem?
Set the Group of ports to the VLAN specific you want the virtual machine to be on. Do not put any VLAN ID in the virtual machine, just plug it into the port group. If you have other virtual machines, or other on this virtual machine network interface cards that need to connect to the other VLAN create other Port groups for each VIRTUAL local area network required.
-
The proSafe (JGS524E + GS116E) Switches: Configuration Management Web GUI in VLAN specific
Hello
I use a JGS524E and a GS116E. The two are connected via a 802. 1 q uplink with all defined VLANS in him.
A 802. 1 q other interfaces goes to a pfsense firewall, which serves as a router and dhcp server for each VLAN that I use.
How can I configure the switches plug are in one VLAN specific and get his IP address of the dhcp server in this VLAN?
At present, it seems to be random access: it is not predictable that range from intellectual property, it takes its IP configuration via dhcp...
How management function works internally?
Thank you
Markus
Hello
Thank you. I tried it out, but the behavior seems to be a little different:
I configured a static IP address for the switch (10.1.0.13 / 24). I have access to the switch web gui via the ip address of the host of a host directly connected (connected via a trunk port, where I put 1 VLAN on the trunk), but it is all the same, what VLAN that I use:
When it is connected to the VLAN 1 I have access, but also through 10 VLANS, VLAN 20 and so forth (assumed, I configure my computer appropriate staticly in the IP network, for example 10.1.0.20 / 24). So it seems not be limited only to the VLAN 1. You have access to each vlan, only the IP configuration must be in the same network.
I'm not sure, how it behaves when cascading the two switches, I have not tried.
If this information can be useful for other users with the same question about this switching product line.
For me, this behavior is not very well implemented from my point of view. For security reasons, you must limit access to the administration, for example by allowing access from a specific hardware port or a vlan. With the effective implementation, centralized management for a cascade topology is not easy to set up, perhaps because the behavior is not very clear and not documented in the manuals.
Mentioned on the edge: there is no available TLS/SSL encryption when accessing the web gui (not https). So the password is transmitted in clear text... not a very good idea, I think.
Thanks a lot for your help.
Best regards
markusd112
-
IviSwitch loses value when sending, "configure the switch" configuration = TRUE
Hi all
We are currently assessing Teststand 4.1 with a multimeter keithley 3706 switch system.
After a first enthusiasm, thinking this tool with the meter switch fits perfectly our needs, real life seems difficult.
Between several other problems, we must say to the device, the channel "s1com1" and "s1com2" are strings of configuration.
Configure the teststand step: change the switch step IVI-> IVI, switching, configuration switch: channels "s1com1" Configuration = True
led to observable in both actions in Ni Spy:
GetAttributeViBoolean (..., "s1com1", _IS_CONFIGURATION_CHANNEL, VI_FALSE)
SetAttributeViBoolean (..., "s1com1", _IS_CONFIGURATION_CHANNEL, VI_FALSE)
manually call to this function of the interactive a CVI fp class works as expected (the VI_TRUE updated)
Is there any hint that we could do wrong? Currently, we are just before writing wrappers in cvi and jump all the wonderful Types of IVIStep in teststand.
Looking forward to any comments
David Clus
David-
This would have the same problem we discovered recently in our internal tests. For the problem that we found, we will probably include our fix in a next corrective patch. You can check if the problem persists if you change your locale in English in the control panel? If the problem no longer occurs, can you use this as a workaround for now?
-
I tried to set the session established the IPs VMs / host / FQDN / VM names
but each time got the error "cannot run processSetup for configuration: cannot run createHOMObj for configuration: no GuestOS section in the XML file.
I changed the names VMS in vCenter for FQDN and it solved the problem.
-
http://wiki.DreamHost.com/Certificate_Domain_Mismatch_Error
Certificate SSL of Dreamhost for their mail servers only at one level of subdomain while many of their clusters of e-mail exist on a second level subdomain. In my view, this translates into an error message 'bad security' of the e-mail application.
I contacted DreamHost and they say they are unable to solve this problem, or that they will allow me to install an SSL certificate on my virtual domain pointing to my cluster e-mail (even if I had to buy a).
I understand, it is possible to manually add certificates via adb in a way similar to this: http://www.pending.io/add-cacert-root-certificate-to-firefox-os/
However what I read this: 1. does not work on the ZTE Open 2. Can only fix only navigation not the web mail client.
Is there any option that is available to me short of switching hosts?
Fabian,
Are you familiar with Firefox OS? The reason why I say this is because the e-mail client cannot create an excaption certificate. In fact, it's design. It's design: https://wiki.mozilla.org/Gaia/Email/Features#Security
This request for support to Mozilla was placed specifically for the product Firefox OS, for which there is only a single mail client.
That said many people in the Mozilla Bugzilla, have been able to show me how to find another alias for those servers that actually works and in fact corresponds to SSL certificates. Although Dreamhost support could not provide me with any such information, and such information is not actually in the DreamHost wiki.
I have a repeated insistence of Dreamhost possibility I should just live with the exceptions of SSL certificate, when there is real existing valid server names to match the certificates in question, silly.
The fact that you post this solution for one product, so that it is not yet applicable beyond useless. It serves to muddy waters.
-
User profile runs as an administrator for the daily work and this account is corrupted and switch every time on my laptop, just open a temp file (created), I downloaded a driver to run my cell phone as a modem while he is on vacation. and the problem started after downloading this software,
Hi johnnyroque
Thanks for posting on Microsoft Answers.
Try to use the following steps to enable the built-in Administrator account and further, then the steps and links to fix a corrupted profile.
Please start on the mode of the Windows recovery environment (WINRE).
-To start the computer into WinRE mode, insert the Vista CD in the CD tray, restart the computer.
-When you are prompted to "press any key to boot from the CD-ROM..." Press ENTER.
-Select the language by default, click Next.
-Select "repair your computer".
http://www.Flickr.com/photos/freeed/363935713/in/set-72157594490796701/
-Select command prompt, and then type the following commands:NET user administrator / Active: Yes
NET user {user account name} {new user password}Note: Please enter the user name and the password without the braces of the flower.
-Restart the computer normally.//////////////////////////////////////////////////////////////////////////////
To fix a see corrupted profile link below:
http://windowshelp.Microsoft.com/Windows/en-us/help/769495bf-035C-4764-A538-c9b05c22001e1033.mspxPlease post back and let us know if it helped to solve the problem - thanks Ken
Microsoft Answers Support Engineer
Visit our Microsoft answers feedback Forum and let us know what you think. -
Need help with the ip configuration on/etc/hosts for the installation of 11 GR 2 on linux vmware 6 on win7.
Let me know if you need more info... in fact I have a setting error while installation said
-(/ etc/hosts has no correct entry for the host name)
Host: 192.168.85.100
Win7 ip: 192.168.1.x
Thank you...
(host computer)
Win7 64 bit
(vmware)
Oracle Linux Server 6.3 version
Release of Red Hat Enterprise Linux Server 6.3 (Santiago)
Oracle Linux Server 6.3 version
-(/ etc/hosts has no correct entry for the host name)
Then post your/etc/hosts.
Host: 192.168.85.100
Win7 ip: 192.168.1.x
Why 85? have you tried 192.168.1.100?
-
I am at a total loss. My site published through catalyst for business is very good. but my computer crashed and I lost the file MUSE. Is there a way I restore the file to Muse out of the catalyst for business published system?
Hello
Unfortunately, it is not possible to convert a HTML .muse file and files on the server. As Muse can only read .muse file only option is to re-create the site referring to the live site you have.
In the future but I advise you to keep a back up of your file to muse on a cloud as creative cloud server so that you can recover the files of Muse in the case of another accident or loss of data.
Kind regards
Vivek
-
Muse says im offline as a catalyst for the company, but I'm not
I'm putting my site muse to the catalyst for business so that my business partners can see. Muse is saying I am disconnected from journal of business catalyst, however whenever I'm on BC IM connected. Help
Hello
Please close Muse, make sure you are also disconnected from the application of CC (instance Office) and then uninstall the CC application. Once the application is deleted, restart the computer and install the application later. Once you install the application of back log in, open Muse and try to publish your project BC again.
I would like to know if it works.
-
I was migrating my main area which had previously been hosted elsewhere and his email to the catalyst for business.
I needed to re-create a mailbox which was also my adobe signon
so I've updated (successfully) my account login from adobe to another e-mail address
However, I am now unable to access to the my dashboard sales catalyst or support if I can sign here.
So I'm partially migrated but completely messed...
Any help appreciated because I have no idea how to get technical support... arrggghh!
Hello
I sent you a personal message, please follow the instructions to reach out to the support team.
-
How can I move my existing sites to the catalyst for business for subscribers of creative cloud?
Hello!
I have three sites that I always welcomed with heart Internet (www.heartinternet.uk). I understand that I can host 5 free sites with catalyst for business with my creative cloud membership. How can I go on this passage?
Thank you very much
has answered your thread How can I move my existing sites to the catalyst for business for subscribers of creative cloud?
-
I got following error when running tests on the Workbench 2.1
[February 19, 2014 16:27:10: TRANSPORT] [0] FRAME: Async command is monitored by the process of STAF 73
[February 19, 2014 16:27:10: FACTORYIMP] SETTING [0]: insert in the container
[February 19, 2014 16:27:10: TESTHASH] [0] INFO: VirtualMachine installation process
[February 19, 2014 16:27:10: VIRTUALMAC] [0] FRAMEWORK: the Setup() method called
[February 19, 2014 16:27:10: STAFBASE] SETTING [0]: command execution STAF: staf VTAF_VM localhost connect password of administrator agent 192.168.8.158 userid: 11:Infocore' 1 q ssl
[February 19, 2014 16:27:10: STAFBASE] [0] FRAME: command execution STAF: staf localhost VTAF_VM getvms anchor 192.168.8.158:administrator
[February 19, 2014 16:27:11: MULTITECH] [0] FRAME: called VTAF::TestLib:Sphere:Lib:STAFSDK:HostSystem:GetAllVMs (HostName = '192.168.8.150' password = 'infocore"username ="root") returned UNDEF
[February 19, 2014 16:27:11: VIRTUALMAC] [0] FRAMEWORK: new creation vaaivm1-150 VM from scratch...
[February 19, 2014 16:27:11: TESTHASH] [0] ERROR: cannot run processSetup for configuration: cannot run createHOMObj for configuration: No. GuestOS appearing in the XML file
[February 19, 2014 16:27:11: TESTHASH] WARN [0]: found objects that need to be cleaned
[February 19, 2014 16:27:11: VIRTUALMAC] [0] INFO: cleaning of the virtual machine: vaaivm1-150
[February 19, 2014 16:27:11: HOSTSYSTEM] [0] FRAME: HostSystem Cleanup() called
[February 19, 2014 16:27:11: HOSTSYSTEM] [0] FRAMEWORK: the location of the swapfile to the directory of the VM on the host 192.168.8.150 restoration VM...
[February 19, 2014 16:27:11: HOSTSYSTEM] SETTING [0]: setting VM Swapfile location to use the directory of the virtual machine
[February 19, 2014 16:27:11: STAFBASE] SETTING [0]: command execution STAF: staf VTAF_Host localhost connect password of administrator agent 192.168.8.158 userid: 11:Infocore' 1 q ssl
[February 19, 2014 16:27:11: STAFBASE] [0] FRAME: command execution STAF: staf localhost VTAF_Host setswapfilelocation anchor 192.168.8.158:administrator host 192.168.8.150
[February 19, 2014 16:27:31: MULTITECH] [0] FRAME: called VTAF::TestLib:Sphere:Lib:STAFSDK:HostSystem:SetSwapFileLocation (HostName = '192.168.8.150' password = 'infocore"username ="root") '1' returned
[February 19, 2014 16:27:31: HOSTSYSTEM] [0] FRAME: destruction of object 192.168.8.150...
[February 19, 2014 16:27:31: LOGMANAGEM] COMMENTS [0]: recovery log file 192.168.8.150 host vmkernel.log
[February 19, 2014 16:27:31: FILEUTILIT] [0] FRAME: PutTmpDirectory - called for destination host localhost
The same problem was sloved.
Re: Hardware Certification-do can not find the storage50info.txt file to...
-
New user. As a series of tests, I opened the influence of the starter project and without making any changes, I tried to publish to the catalyst for business with the error of the object. Complaint of Web fonts also happens when moving to the preview of the design mode, but after Muse complained played excerpts. Publish in contrast does not work.
When I do a simple site of my own making to publish works.
Each time stranglely my creative cloud application loses also, login credentials.
How do you get this influence to publish on BusinessCatalyst and how to stop enforcement creative cloud to forget the login?
Sincere thanks...
-Chris
It's really two different questions for two different products. I'll pass this on the forum of Business Catalyst so that they can get your problem immediately solved first.
Regarding connection problems, I always find that if you use twitter to message @AdobeCare on behalf of the problems. Usually the fastest response.
Maybe you are looking for
-
HP Pavilion g6 - 2288ca Notebook PC, Windows 8 will fail to start.
Hi, I'm having a problem with my computer, everytime I try to start up my HP Pavilion g6 - 2288ca Notebook, I get one of two errors different blue screen. An error code says 0xc000021a and the other says 0 xC0000001. I then did a marketing test and i
-
XP Outlook Express in Windows Vista Mail
Why should it be a major act just to access your messages moved from one computer to another? As a technician, is why people ask me why they should stay with Microsoft? Why can not do just a simple conveter since you can't import the indentities in
-
Hello I would like to ask if it is possible to place the sticker inside the carcass of a computer in the place outside. Because we met torn stickers that cancel the license for the operating system. Another option is, can we just photocopy the origin
-
ASA result I can't get anything to print. Any suggest?
-
White screen while laptop is running so close cover when starting
Whenever I close the lid right after turning on my HP DV6 want, and when I opened the lid, the screen remains blank. The system does not appear to be a 'sleep' mode because the lights of buttons and buttons are turned on and off. The sound can also b