Go L@CP Yourself!

Be warned, this is a silly post!

Some other folks and I have been mulling over how to shoehorn some IPS into some network gear. At one point we half jokingly said “well lets just port-channel through the IPS to ourself!” I won’t go into the details, but effectively there is a requirement to ensure that an IPS live between every tier in a data center. So how would one do that? Well… firstly you would probably have some very small subnets/VLANs — /25s or /26s per tier or app. The SVI for these subnets would have to live in something like a VDC or in a separate VRF, you could then put the IPS in between the VDCs/VRFs, thereby forcing everything to traverse through them. In a VDC this is pretty simple and we’ve been doing stuff like this for years, but what if a VDC isn’t an option? How could you do that? Well if you had a bunch of switches, you could trunk between switches and stuff your IPS in between them… but what if you hypothetically had a single switch? Chaos ensues of course!

So basically we ran into this hypothetical scenario and said we could just port-channel to ourself through the IPS. We talked about this and thought that would never work — the LACP system ID would be the same on both ends of the port-channel which, you would think, break the port-channel…. turns out it actually works though! I tested this on my 3560CX at home just for giggles and got the following results:

Group  Port-channel  Protocol    Ports
5      Po5(SU)         LACP      Gi0/7(P)
6      Po6(SU)         LACP      Gi0/8(P)

Carls_3560CX#sh cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
                  D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID

               Gig 0/7           171              S I   WS-C3560C Gig 0/8
                Gig 0/8           171              S I   WS-C3560C Gig 0/7

interface GigabitEthernet0/7
 switchport trunk allowed vlan 666<
 switchport mode trunk
 channel-group 5 mode active
Carls_3560CX#sh run int po5
Building configuration...
Current configuration : 89 bytes
interface Port-channel5
 switchport trunk allowed vlan 666<
 switchport mode trunk

Again, silly post, obviously not recommending you do this! I did think it was funny enough to share though 🙂 I kind of want to go test it out on the ACI lab now out of morbid curiosity! A packet cap on that link somehow may be interesting too… I still feel like this shouldn’t work, but guess it does!

2 thoughts on “Go L@CP Yourself!

  1. HI, funny I should see this mentioned.. I have done something similar but with Juniper EX switches. We had a 6500 core but it was limited to only 16 (I think) VLAN translations on the 10G module ports so we instead did it on the EX switches.

    The VLAN translations enabled us to trunk through the IPS and inspect on a per VLAN basis.

    – The EX switches were in a stack (virtual-chassis)
    – Pair of IPS’s for redundancy
    – Port-channel 1 (Aggregated Ethernet ae1) was made of two links, one to the inside interface of each IPS
    – Port-channel 2 (ae2) was the same but to the outside interface of each
    – LACPDU’s allowed active/standby IPS and automatic fail-over in the event of an issue through the units

    For the JUNOS people who;re curious, the config is quite strange for VLAN translation trunks – one end is an access-port. But the EX can do 4000 VLAN translations so we were happy 🙂

    As network people though we were very unhappy about the idea of L2 topology being bastardised through non network kit, so I’m happy we’re moving to SourceFire 🙂

    • Hah! Thats awesome/timely/funny! So did you have the 6500 basically trunk out VL10, and on the other side the EX translated it to VL1000 or something?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.