Example 3—Protected Flexible Inline, Two Collector Maps

Example 3 is similar to Example 2 but with protected inline networks.

Protected inline networks are based on the pairs of ports associated with the physical protection switches located on the bypass combo modules. Unlike the unprotected examples, you do not need to configure inline network ports because they are created automatically, and you do not need to configure inline networks because they are also created automatically on bypass combo modules. The aliases of the default inline networks are: default_inline_net_1_1_1 and default_inline_net_1_1_2.

For example, the inline tools can be Web Application Firewall (WAF), Intrusion Prevention System (IPS), Advanced Persistent Threat (APT).

The inline tool aliases are t0708 to t1516, based on ports x7 to x16.

Use the following steps to configure Example 3:

Step

Description

Command

Configure inline tool ports, port type (inline-tool), and administratively enable inline tool ports.

(config) # port 1/3/x7..x16 type inline-tool
(config) # port 1/3/x7..x16 params admin enable

Configure inline tools, specify that the inline tool is going to be shared by different sources, and enable them.

(config) # inline-tool alias t0708 pair tool-a 1/3/x7 and tool-b 1/3/x8
(config) # inline-tool alias t0708 shared true
(config) # inline-tool alias t0708 enable

(config) # inline-tool alias t0910 pair tool-a 1/3/x9 and tool-b 1/3/x10
(config) # inline-tool alias t0910 shared true
(config) # inline-tool alias t0910 enable

(config) # inline-tool alias t1112 pair tool-a 1/3/x11 and tool-b 1/3/x12
(config) # inline-tool alias t1112 shared true
(config) # inline-tool alias t1112 enable

(config) # inline-tool alias t1314 pair tool-a 1/3/x13 and tool-b 1/3/x14
(config) # inline-tool alias t1314 shared true
(config) # inline-tool alias t1314 enable

(config) # inline-tool alias t1516 pair tool-a 1/3/x15 and tool-b 1/3/x16
(config) # inline-tool alias t1516 shared true
(config) # inline-tool alias t1516 enable

Configure collector maps from inline networks to inline tools in both directions, add user-defined tags, and enable maps.

Note: The tag is optional. The default is auto, which automatically assigns tags.

(config) # map alias FLEX1
(config map alias FLEX1) # type flexInline collector
(config map alias FLEX1) # from default_inline_net_1_1_1
(config map alias FLEX1) # a-to-b t0708,t0910,t1112,t1314,t1516
(config map alias FLEX1) # b-to-a reverse
(config map alias FLEX1) # tag 100
(config map alias FLEX1) # enable
(config map alias FLEX1) # exit
(config) #

(config) # map alias FLEX2
(config map alias FLEX2) # type flexInline collector
(config map alias FLEX2) # from default_inline_net_1_1_2
(config map alias FLEX2) # a-to-b t0708,t1112
(config map alias FLEX2) # b-to-a reverse
(config map alias FLEX2) # tag 200
(config map alias FLEX2) # enable
(config map alias FLEX2) # exit
(config) #

Configure the path of the traffic to inline tools.

(config) # inline-network alias default_inline_net_1_1_1 traffic-path to-inline-tool

(config) # inline-network alias default_inline_net_1_1_2 traffic-path to-inline-tool

Disable physical bypass on the default inline networks.

(config) # inline-network alias default_inline_net_1_1_1 physical-bypass disable

(config) # inline-network alias default_inline_net_1_1_2 physical-bypass disable