Cisco IPS scenario three – Inline VLAN Pairs

Ok, this was quite a break and now it’s time to move on with the third part of IPS sensor deployment saga – Inline VLAN Pairs. In the previous article, we saw how to place an IPS sensor in an Inline Interface Pair mode. In that article we spent two out of four IPS interfaces. In the first article – Promiscuous Mode, we spent one more. So we are left with just one interface, which can be placed only in promisc mode. The obvious flaw with those scenarios is the fact that they are draining interfaces. Especially the Interface Pairs scenario. We have only four and often need more. To solve this issue, Cisco came out with the third mode – Inline VLAN Pairs. Ok, maybe this is not something Cisco invented, but let’s pretend they did.

In the previous article we had only one subnet and to protect it we spent two out of four interfaces. If we would like to protect another subnet, we would ran out of interfaces. So this is where the Inline VLAN Pairs deployment scenario comes into play. In the following diagram we are protecting two subnets with just one IPS interface. Moreover, we could protect more subnets with this sole interface. So this deployment scenario saves us some valuable IPS interfaces.

A brief discussion about this scenario… We have a border router connected to an outside interface of an ASA appliance. The ASA’s GigabitEthernet0/2 interface is dedicated to DMZ segments. In this case we are using two separate DMZs, but we could have more with this type of setup. Please observe that the connection between the ASA and a switch is a trunk link (depicted as a dot-ended line). This line has to be a trunk, because there are multiple subnets/VLANs involved. The FastEthernet0/8 switch port is connected to an IPS, again as a trunk port, for a same reason. FastEthernet0/1 and FastEthernet0/2 are ordinary access ports that connect to two ESX hosts. Although each DMZ server could be a separate physical machine assigned to appropriate VLAN, in this scenario we are using a concept of virtualization. One ESX could host one type of servers, say web servers, and another ESX could host another type of servers, database servers, for instance.

Now goes a tricky part: along the trunk link between the ASA and the switch we should allow any two VLANs but VLANs 3 and 19. Why this is important? Because if we did allow VLANs 3 and 19, the traffic from the Internet would go directly to one ESX or another, hence would bypass the IPS. So we allow VLANs 103 and 119 only. Now the traffic from the Internet can go only to the FastEthernet0/8 – to the IPS. The IPS would then inspect the traffic coming from VLANs 103 or 119, “swap” VLAN tags from 103 or 119 to 3 or 19 and send the traffic back to the trunk link. Because the IPS receives the traffic on VLANs 103 and 119, but sends the traffic on VLANs 3 and 19, all four VLANs must be allowed on this trunk link. Now when the traffic hits a switch on VLANs 3 or 19, the switch passes this traffic to appropriate ports belonging to appropriate VLANs.

I hope you could follow the traffic path.

It’s time for some setup. First, the ASA:

!
interface GigabitEthernet0/2
speed 100
duplex full
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2.103
description DMZ1
vlan 103
nameif DMZ1
security-level 50
ip address 192.168.3.254 255.255.255.0 standby 192.168.3.253
!
interface GigabitEthernet0/2.119
vlan 119
nameif DMZ191
security-level 0
ip address 10.1.19.14 255.255.255.240 standby 10.1.19.13
!

The switch configuration is also straight forward:

!
interface FastEthernet0/1
description DMZ - 192.168.3.0/24
switchport access vlan 3
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/2
description DMZ - 10.1.19.0/28
switchport access vlan 19
switchport mode access
spanning-tree portfast
!
! ...
!
interface FastEthernet0/7
description ASA DMZ Trunk
switchport trunk native vlan 999
switchport trunk allowed vlan 103,119
switchport mode trunk
speed 100
duplex full
spanning-tree portfast trunk
!
interface FastEthernet0/8
description IPS Trunk
switchport trunk native vlan 999
switchport trunk allowed vlan 3,19,103,119
switchport mode trunk
speed 100
duplex full
spanning-tree portfast trunk
!

And now the real fun – the IPS…

Enable an interface. Because we now have a solid experience with the IPS, we know how to do this. We’ll use GigabitEthernet0/0:

Create VLAN pairs:

  • 1 – Subinterface Number is an arbitrary number in some range (I guess 1-255)
  • 2 – VLAN A gets swapped with VLAN B
  • 3 – VLAN B gets swapped with VLAN A
  • Same goes for another VLAN pair, VLAN3 and VLAN103:

    Now we set up a virtual sensor. We need to assign just created VLAN pairs to a virtual sensor, vs0 in this case. Also we need to assign signature definition (sig0), event action rules (rules0) and anomaly detection policy (ad0) to a sensor:

    Now the only thing left is to tune some sigs and verify if this scenario is working, but we already know how to do that 🙂

    Advertisements
    This entry was posted in Cisco, IPS and tagged , , , , . Bookmark the permalink.

    3 Responses to Cisco IPS scenario three – Inline VLAN Pairs

    1. ie 3107 says:

      Great post. helps me lot. Thanks.

    2. li wang says:

      how is the gi0/0 (vlan 119) on ASA connect to the Switch?

      • Sasa says:

        Good point! VLAN119 should be connected to the switch same way VLAN103 is, through the trunk link across g0/2. The config is right, but there is a mistake on the diagram. Thanks.

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s