Cisco Systems CL-28826-01 Deploying VLAN Groups

36-5

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter36 Managing IPS Device Interfaces

Understanding Interface Modes

•Non-802.1q encapsulated traffic is associated with the unassigned VLAN group and it is not

possible to assign the native VLAN to any other VLAN group.

Note You can configure a port on a switch as either an access port or a trunk port. On an access port, all traffic

is in a single VLAN is called the access VLAN. On a trunk port, multiple VLANs can be carried over

the port, and each packet has a special header attached called the 802.1q header that contains the VLAN

ID. This header is commonly referred as the VLAN tag. However, a trunk port has a special VLAN called

the native VLAN. Packets in the native VLAN do not have the 802.1q headers attached. IDSM-2 can

read the 802.1q headers for all nonnative traffic to determine the VLAN ID for that packet. However,

IDSM-2 does not know which VLAN is configured as the native VLAN for the port in the switch

configuration, so it does not know what VLAN the native packets are in. Therefore, you must tell

IDSM-2 which VLAN is the native VLAN for that port. Then IDSM-2 treats any untagged packets as if

they were tagged with the native VLAN ID.

Related Topics

•Deploying VLAN Groups, page 36-5

•Understanding Interfaces, page 36-1

•Configuring VLAN Groups, page 36-15

Deploying VLAN Groups

Because a VLAN group of an inline pair does not translate the VLAN ID, an inline paired interface must

exist between two switches to use VLAN groups on a logical interface. For an appliance, you can connect

the two pairs to the same switch, make them access ports, and then set the access VLANs for the two

ports differently. In this configuration, the sensor connects between two VLANs, because each of the

two ports is in access mode and carries only one VLAN. In this case the two ports must be in different

VLANs, and the sensor bridges the two VLANs, monitoring any traffic that flows between the two

VLANs. IDSM-2 also operates in this manner, because its two data ports are always connected to the

same switch.

You can also connect appliances between two switches. There are two variations. In the first variation,

the two ports are configured as access ports, so they carry a single VLAN. In this way, the sensor bridges

a single VLAN between the two switches.

In the second variation, the two ports are configured as trunk ports, so they can carry multiple VLANs.

In this configuration, the sensor bridges multiple VLANs between the two switches. Because multiple

VLANs are carried over the inline interface pair, the VLANs can be divided into groups and each group

can be assigned to a virtual sensor. The second variation does not apply to IDSM-2 because it cannot be

connected in this way.