Unsolved
This post is more than 5 years old
20 Posts
0
1229
converging multiple external source vlan access ports through IPS to another vlan on switch (pictures help explain)
Right now I have a configuration that works but I'm getting a couple of ARP issues between external devices so I'm looking to further segregate. I have a switch N2000 to be precise, that I have all of my public devices on. I have an IPS that I run all external traffic through. One side of the switch is set as the "unsanitized" public traffic directly from the ISP, the other side is the "sanitized" public traffic after it goes through the IPS. Right now I have two vlans that do this, but I have two ISPs and a single IPS physical port for in and out.
Current setup (only showing relevant info):
vlan 2000,3000
vlan 2000
name "UNSANITIZED INTERNET"
exit
vlan 3000
name "SANITIZED INTERNET"
exit
interface Gi1/0/1
description "ISP NUMBER 1"
spanning-tree portfast
switchport access vlan 2000
exit
!
interface Gi1/0/2
description "ISP NUMBER 2"
spanning-tree portfast
switchport access vlan 2000
exit
interface Gi1/0/5
description "EXTERNAL FACING PORT OF IPS"
spanning-tree disable
switchport access vlan 2000
exit
!
interface Gi1/0/6
dscription "INTERNAL FACING PORT OF IPS"
spanning-tree disable
switchport access vlan 3000
exit
interface Gi1/0/15
description "FIREWALL OUTSIDE INTERFACE"
spanning-tree portfast
switchport access vlan 3000
exit
!
interface Gi1/0/16
description "ANOTHER FIREWALL OUTSIDE INTERFACE"
spanning-tree portfast
switchport access vlan 3000
exit
!
interface Gi1/0/17
description "ANOTHER FIREWALL OUTSIDE INTERFACE"
spanning-tree portfast
switchport access vlan 3000
exit
I'd like to introduce vlan 1000 for interface Gi1/0/1 so that it is isolated from the other ISP devices. Right now both sides of the IPS are in access mode (2000 for the "external" side and 3000 for the "internal" side) and the traffic is untagged on all ports. I was trying to think of a way to pass both vlans 1000,2000 through the external interface of the IPS and out back onto the 3000 vlan.
I'm having a block if I could somehow use general mode and untagged vlans to traverse the IPS together but have the external modems or fiber ONT devices from being able to potentially see hardware MAC addresses from the other ISP.
Below is a very crude diagram of the setup. Traffic ingresses and egresses through the IPS bidirectionally but the end result is that the IPS has seen the traffic before it leaves the network to the Internet or before it enters the outside interface of our firewalls.
Hopefully that makes sense and thanks for any ideas.
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
April 14th, 2017 07:00
I do not think you will be able to accomplish this with General mode and all untagged traffic. General mode can send multiple VLANs as untagged, meaning traffic going internal may reach its destination. But issues would arise with returning traffic as the General mode interface can only receive untagged for one VLAN.
Is the internal network all on the same subnet? Are the two ISP being used for redundancy, or providing connectivity to different groups? What model IPS device is being used? Does it support VLAN tagging?
Robert Clemens
20 Posts
0
April 14th, 2017 08:00
Daniel,
Thanks for the reply. It is a Dell SecureWorks IPS, the IPS is just inline of any data and the interfaces aren't configured for anything. I haven't followed up with them to see if it is configurable on each interface.
The two ISP are used for both redundancy and different connectivity groups.
The IPS is sitting between the uplink devices and the external ports of the firewall devices. It is checking traffic on the external zone before it even hits our firewalls. The traffic is the same on both sides just "sanitized". So if your public IP is 1.1.1.10/30, then that subnet is passed through the IPS to the "sanitized" side.
The configuration posted works and has for some time. Every so often I have had an issue with one ISP getting ARP information from the wrong devices and we had some "flapping" of a connection.
Maybe it would be easier to see if the IPS could have another couple of NICs to have inline of another similar setup so they could all be vlan'd independently. If they can watch two inline paths on a device that may be the easiest solution.
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
April 14th, 2017 08:00
I did some quick searching and did not find anything on SecureWorks supporting VLAN tagging. The only other thing I can think of right now would be to set the switch to be Layer 3, configure policy based routing, and then configure any additional ACLs to control access from one VLAN to another. But this may not be ideal for you. Here is a white paper with some scenarios to look through.
http://dell.to/1rEuVjn