Robert Clemens
1 Nickel

converging multiple external source vlan access ports through IPS to another vlan on switch (pictures help explain)

Right now I have a configuration that works but I'm getting a couple of ARP issues between external devices so I'm looking to further segregate. I have a switch N2000 to be precise, that I have all of my public devices on. I have an IPS that I run all external traffic through. One side of the switch is set as the "unsanitized" public traffic directly from the ISP, the other side is the "sanitized" public traffic after it goes through the IPS. Right now I have two vlans that do this, but I have two ISPs and a single IPS physical port for in and out.

Current setup (only showing relevant info):

vlan 2000,3000

vlan 2000
name "UNSANITIZED INTERNET"
exit

vlan 3000
name "SANITIZED INTERNET"
exit

interface Gi1/0/1
description "ISP NUMBER 1"
spanning-tree portfast
switchport access vlan 2000
exit
!
interface Gi1/0/2
description "ISP NUMBER 2"
spanning-tree portfast
switchport access vlan 2000
exit

interface Gi1/0/5
description "EXTERNAL FACING PORT OF IPS"
spanning-tree disable
switchport access vlan 2000
exit
!
interface Gi1/0/6
dscription "INTERNAL FACING PORT OF IPS"
spanning-tree disable
switchport access vlan 3000
exit

interface Gi1/0/15
description "FIREWALL OUTSIDE INTERFACE"
spanning-tree portfast
switchport access vlan 3000
exit
!
interface Gi1/0/16
description "ANOTHER FIREWALL OUTSIDE INTERFACE"
spanning-tree portfast
switchport access vlan 3000
exit
!
interface Gi1/0/17
description "ANOTHER FIREWALL OUTSIDE INTERFACE"
spanning-tree portfast
switchport access vlan 3000
exit

I'd like to introduce vlan 1000 for interface Gi1/0/1 so that it is isolated from the other ISP devices. Right now both sides of the IPS are in access mode (2000 for the "external" side and 3000 for the "internal" side) and the traffic is untagged on all ports. I was trying to think of a way to pass both vlans 1000,2000 through the external interface of the IPS and out back onto the 3000 vlan. 

I'm having a block if I could somehow use general mode and untagged vlans to traverse the IPS together but have the external modems or fiber ONT devices from being able to potentially see hardware MAC addresses from the other ISP.

Below is a very crude diagram of the setup. Traffic ingresses and egresses through the IPS bidirectionally but the end result is that the IPS has seen the traffic before it leaves the network to the Internet or before it enters the outside interface of our firewalls.

Hopefully that makes sense and thanks for any ideas.

0 Kudos