Hello.

I have this doubt. It may sound stupid but here goes anyway.

If you have an Etherchannel link, two ports bundled, and in each link there a equipment like a webfilter, who is transparent (layer2 only), but this equipment has an admin IP to operate it. Is there a way to tell the switch that the traffic for a special VLAN not go for the Etherchannel and only send it for one of the bundled interfaces, so it can be possible to acces the webfilter to admin it??

Thanks!

Perhaps with a logical subinterface? What equipment are you using to form the etherchannel?

Cisco switches. The problem is that once the port got bundled the act as only one port, so if you ping the webfilter between the Etherchannel links, the traffic not necesary will go for the desired link where the webfilter is attached.

Won't you have the same problem with normal traffic, and only half of it will go to the web filter?

-Otanx

The problem is that if someone needs to administer the webfilter remotely, and the webfilter has no administration interface(this should bo logical in a webfilter in a scenario with Etherchannel), it would be possible to tell switch that packets for VLAN x go always by interface y, being interface y part of the Etherchannel bundle.

Edit: there is one webfilter per link.

so if I understand this right these two interfaces go to a device similar to a IPS or IDS where its completely transparent and they can filter signatures,files web stuff etc etc so they leave the one switch go to this device then out to the other switch? But your problem is that only one goes through this filtering device right?

you can change the specific load balancing type for the etherchannel..but you arent going to be able to tell it for vlan x only use interface y in the portchannel if that is what you are trying to accomplish.

_________________
"I will prepare and some day my chance will come." - Abraham Lincoln
http://danielhertzberg.wordpress.com - I blog about networks!

I can't think of anyway to do it. The only way I can come up with is either break the ether channel, and split the load by vlan by modifying spanning-tree costs (ugly), or moving to two layer 3 links with a /29 each then ECMP for load balancing.

Neither option is all that great. How about taking them out of line, and using WCCP? I guess it would depend on exactly what you are doing with the filter.

-Otanx

Thanks for your answers. It looks that is not a common topology(too forced solutions).



Yes, that's the point but one webfilter per link.



Sounds like a solution, but one switch is layer 2 only.


Here is the topology:

SwitchA fa0/1 -------Web filter-------fa0/1 SwitchB
..........fa0/2 -------Web filter-------fa0/2

I think, or each webfilter should have an administration interface to access the equipment, or a virtual IP address that the web filter can catch.

No big experience in the security stuff, but I thought this kind of topology could be very common, or this kind of topology makes no sense?

The idea behind is redundancy.

This question arised when troubleshooting a Panda appliance deployment. At first I configured an Etherchannel at client request, but I read the Panda documentation and the appliance doesn't supports Etherchannel, it uses multicasting to comunicate with the slave appliance. So based in this experiencie, came to my mind the problem I exposed.

Do you need more than one link of bandwidth(can you move to 1G interfaces)? Instead of using an etherchannel just run two links between the switches. Put all the vlans on both links. Let spanning-tree do it's thing and block one. If one goes down the other will take over.

-Otanx

What is the web filter? Or is this just hypothetical

Hypothetical.

Thanks for your help. I think Etherchannel is not designed for this scenario.

Yeah, seems to not line up with what Etherchannel was designed for at all.

Do these devices actually filter? Or just monitor? It seems like these devices would have no effective way to communicate on the network.

These devices can't work with a SPAN?

_________________
Regards,

Steven King
San Diego Cisco User Group - http://www.sdcug.com
"The only time something is impossible is when you think it is." - Kevin Corbin, CCIE #11577

Filtering is the purpose.

This isn't Websense is it?

If so, it won't work. Our Network Agent requires a SPAN/port mirror; it's not an inline monitor/filter.

If it's not Websense, I couldn't tell you, but I wouldn't think it would work.

_________________
Regards,

Steven King
San Diego Cisco User Group - http://www.sdcug.com
"The only time something is impossible is when you think it is." - Kevin Corbin, CCIE #11577