I am wondering if it's possible to set up a way to remove the need for a bypass switch when using an IPS device. To summarize, I would have an IPS device acting as a virtual wire on a connection I'm monitoring. I also have a bypass switch to do this so that if the IPS fails, the network connection will bypass the IPS device and maintain the connection (I am aware of the security concerns with failing open).
By VLAN bridge, I mean 2 access ports in 2 different vlans that are physically connected. So, my thought was to have the IPS device act as that physical wire between the 2 access ports. In addition, if I had another loop between 2 different access ports with a higher STP cost, I should effectively have a bypass (if IPS went down, STP would take care of the bypass by switching to the other loop). The idea in general works when my loops are between 2 different switches.
However, I had some trouble getting this to work on a single switch. I was testing this with 2 computers in the 2 different vlans pinging each other. So, it's possible I'm just having some ARP problems, and this would work if I can get around that, but I'm not sure yet.
Is this too crazy of an idea to ever work, or am I just missing something?
Best Answer
I don't believe this will be possible on one single switch. The reason being is that you are relying on STP to catch a link failure, but to go back to back on a single switch, you would have to suspend normal STP operation by either BPDU filtering or something similar.