Cisco IPS: Inline Vlan Pair

Inline Vlan Pair scenario
Traffic between Vlan 10 and 20 has to be inspected by IPS, in order to achieve this and to save valuable IPS interface inline vlan pair mode is selected for this setup.

lab diagram1

Step by step explanation on how the traffic flow works
lab diagram steps

1. Attacker initiates an attack from vlan 10, the traffic is forced to enter the IPS first before sending to the layer 3 switch.

2. If the traffic is benign, IPS forwards the traffic to the layer 3 switch and tag the traffic as vlan 110. The actual vlan of the attacker and victim computer is unknown to the layer 3 switch.

3. Layer 3 switch routes the traffic destined for vlan 20 host, this traffic is forced to send to the IPS first.

4. Traffic is forwarded to victim by IPS if the traffic is benign.

The inline vlan pair setup looks like this logically.

The inline vlan pair setup looks like this logically.

Inline vlan pair mode configuration

Layer 2 switch configuration

!
interface FastEthernet0/1
 description Attacker
 switchport access vlan 10
 switchport mode access
 spanning-tree portfast
end
!
interface FastEthernet0/2
 description Victim
 switchport access vlan 20
 switchport mode access
 spanning-tree portfast
end
!
interface FastEthernet0/23
 description To IPS
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10,20,110,120
 switchport mode trunk
end
!
interface FastEthernet0/24
 description To Layer 3 switch
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 110,120
 switchport mode trunk
 switchport nonegotiate
end

It is important to configure the allowed vlans on the trunk links. The switch interface that trunks with IPS must allow vlans associated to the vlan pairs. In this scenario the IPS pairs Vlan 10 with Vlan 110 and pairs Vlan 20 with Vlan 120.

The trunk links between the layer 2 switch and layer 3 switch must be vlan 110 and 120, to the layer 3 switch vlan 10 and 20 are unknown.

Layer 3 switch configuration

!
interface Vlan110
 description Vlan 10 Attacker's Gateway
 ip address 192.168.10.254 255.255.255.0
end
!
interface Vlan120
 description Vlan 20 Victim's Gateway
 ip address 192.168.20.254 255.255.255.0
end
!
interface FastEthernet1/0/24
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 110,120
 switchport mode trunk
 switchport nonegotiate
end

The Attacker’s gateway is using Vlan 110 SVI IP address, the Victim’s gateway is using Vlan 120 SVI IP address.

IPS configuration

Create two sub interfaces.  One sub interface pairs Vlan 10 and 110, this interface represents Attacker. The next sub interface pairs Vlan 20 with 120, this sub interface represents Victim.

Create two sub interfaces.
One sub interface pairs Vlan 10 and 110, this interface represents Attacker.
The next sub interface pairs Vlan 20 with 120, this sub interface represents Victim.

Create a virtual sensor (vs1)and assigned the two sub interfaces to vs1.

Create a virtual sensor (vs1)and assigned the two sub interfaces to vs1.

A virtual sensor contains a set of active signatures and rules for the IPS interfaces, it has nothing to do with virtualization. IPS interfaces assigned to this virtual sensor use the same active signatures and rules.

You can add the event action rules when there is a match in signature, the signature contains risk rating, base on the risk rating the rating is divided into HIGHRISK, MEDIUMRISK and LOWRISK, you can apply actions to these ratings.

You can adjust the risk rating threshold. For highrisk item I have added deny inline attacker and victim pair, whenever there is a highrisk rating attack the communication between attacker and victim will be denied.

You can adjust the risk rating threshold. For highrisk item I have added deny inline attacker and victim pair, whenever there is a highrisk rating attack the communication between attacker and victim will be denied.

The attacker and victim link is logged, this attacker will never be able established connection to the victim unless I clear the attacker from this list.

The attacker and victim link is logged, this attacker will never be able established connection to the victim unless I clear the attacker from this list.

Highrisk rating attackers from the event monitoring.

Highrisk rating attackers from the event monitoring.

Advertisements
This entry was posted in IDS/IPS, Security and tagged , , , . Bookmark the permalink.

2 Responses to Cisco IPS: Inline Vlan Pair

  1. Usmaan Malik says:

    Thanks a lot.
    Beautifully explained.

  2. vel says:

    Hi,
    I have been trying to understand for so long how the traffic is forwarded to the ips? Still confused though.
    You described that traffic is forcefully forwarded to the IPS. Can you elaborate how is that achieved? When the attacker machine sends the traffic to different subnet, doesn’t it send it to its gateway? Because the target is on different subnet?

    I am trying to understand how IPS takes over the flow.

    If the IPS device act as the attacker and victims gateway then the traffic will go through IPS as you described.can you explain how the traffic is handed over to IPS?

    BTW, this is what I have been looking except the confusion. Thanks for your help!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s