[c-nsp] Briding 2 Vlans on a 2950 switch with a security appliance
C. Jon Larsen
jlarsen at richweb.com
Sun Jun 5 12:35:07 EDT 2005
Thanks Christian and others for the suggestions. It took me some time to
get a maint window scheduled, but I have it working now.
"switchport mode access" indeed seemed to be the key.
I was able to take 2 different vlans and bridge them using the IPS device
when I had switchport mode access on each of the ports on either side of
the device. I also turned off cdp on those 2 ports to get rid of some log
messages the 2950 was logging.
Here is the config:
! defaults i did not change:
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
! here are the 2 ports that are in different vlans,
! and the IPS device bridges them internally using a kernel compiled with
! firewalling + transparent bridging
! (its a debian box that I dont have root on so I can only watch it boot
! and guess from the messages)
interface FastEthernet0/2
description perimeter IPS - outside nic
switchport mode access
load-interval 30
no cdp enable
spanning-tree portfast
interface FastEthernet0/10
description perimeter IPS - inside nic
switchport access vlan 2
switchport mode access
load-interval 30
no cdp enable
spanning-tree portfast
!
Thanks again,
-jon
More information about the cisco-nsp
mailing list