Inline Vlan Pair scenario
Traffic between Vlan 10 and 20 has to be inspected by IPS, in order to achieve this and to save valuable IPS interface inline vlan pair mode is selected for this setup.
Step by step explanation on how the traffic flow works
1. Attacker initiates an attack from vlan 10, the traffic is forced to enter the IPS first before sending to the layer 3 switch.
2. If the traffic is benign, IPS forwards the traffic to the layer 3 switch and tag the traffic as vlan 110. The actual vlan of the attacker and victim computer is unknown to the layer 3 switch.
3. Layer 3 switch routes the traffic destined for vlan 20 host, this traffic is forced to send to the IPS first.
4. Traffic is forwarded to victim by IPS if the traffic is benign.
Inline vlan pair mode configuration
Layer 2 switch configuration
! interface FastEthernet0/1 description Attacker switchport access vlan 10 switchport mode access spanning-tree portfast end ! interface FastEthernet0/2 description Victim switchport access vlan 20 switchport mode access spanning-tree portfast end ! interface FastEthernet0/23 description To IPS switchport trunk encapsulation dot1q switchport trunk allowed vlan 10,20,110,120 switchport mode trunk end ! interface FastEthernet0/24 description To Layer 3 switch switchport trunk encapsulation dot1q switchport trunk allowed vlan 110,120 switchport mode trunk switchport nonegotiate end
It is important to configure the allowed vlans on the trunk links. The switch interface that trunks with IPS must allow vlans associated to the vlan pairs. In this scenario the IPS pairs Vlan 10 with Vlan 110 and pairs Vlan 20 with Vlan 120.
The trunk links between the layer 2 switch and layer 3 switch must be vlan 110 and 120, to the layer 3 switch vlan 10 and 20 are unknown.
Layer 3 switch configuration
! interface Vlan110 description Vlan 10 Attacker's Gateway ip address 192.168.10.254 255.255.255.0 end ! interface Vlan120 description Vlan 20 Victim's Gateway ip address 192.168.20.254 255.255.255.0 end ! interface FastEthernet1/0/24 switchport trunk encapsulation dot1q switchport trunk allowed vlan 110,120 switchport mode trunk switchport nonegotiate end
The Attacker’s gateway is using Vlan 110 SVI IP address, the Victim’s gateway is using Vlan 120 SVI IP address.
IPS configuration
One sub interface pairs Vlan 10 and 110, this interface represents Attacker.
The next sub interface pairs Vlan 20 with 120, this sub interface represents Victim.
A virtual sensor contains a set of active signatures and rules for the IPS interfaces, it has nothing to do with virtualization. IPS interfaces assigned to this virtual sensor use the same active signatures and rules.
You can add the event action rules when there is a match in signature, the signature contains risk rating, base on the risk rating the rating is divided into HIGHRISK, MEDIUMRISK and LOWRISK, you can apply actions to these ratings.
cyruslab 
Thanks a lot.
Beautifully explained.
Hi,
I have been trying to understand for so long how the traffic is forwarded to the ips? Still confused though.
You described that traffic is forcefully forwarded to the IPS. Can you elaborate how is that achieved? When the attacker machine sends the traffic to different subnet, doesn’t it send it to its gateway? Because the target is on different subnet?
I am trying to understand how IPS takes over the flow.
If the IPS device act as the attacker and victims gateway then the traffic will go through IPS as you described.can you explain how the traffic is handed over to IPS?
BTW, this is what I have been looking except the confusion. Thanks for your help!