We have a customer who has a couple of FirePower AMP 8150 for IPS purposes (I know, they're EoS but they have them for a while and now they wanna use them) and he's asking about the possibility of using these IPS using Inline vlan pairing (like an IPS on a stick configuration) instead of a more common Inline set mode topology. I was wondering if these IPS devices support this type of configuration and if it does, what are the best practices for HA design in this type of scenarios (I haven't found any good documentation for this). I attached a diagram of the proposed design.
Basically, IPS are connected to a pair of Nexus 7K switches with vPC in Trunk Mode, allowing only the relevant VLANs. Firewalls are connected the same way to the pair of Nexus 7K switches but in access mode on VLAN 20, also the next hop for the server networks is the VIP for the firewall (10,10.10.254 for example). So the traffic flow should be like this:
N7K Switches try to send traffic to firewall (10.10.10.254) sends the ARP packets on vlan 10, IPS intercepts them and with the Vlan pairing sends them to Vlan 20, Firewalls get them on Vlan 20 and respond accordingly and once the adress resolution is done all traffic flows follow the same path. I've seen documentation and other threads here that say this is possible but referencing to other IPS devices like the 4000 series, I'm just not sure if the AMP 8150 supports this and how the HA would work and the best practices for it (like STP considerations).
Inline VLAN pairing on NGIPS can be created using a switched interface and logical switched interfaces. Basically the physical interface needs to have Switched mode, and then logical switched interfaces with specific VLAN tags can be added.
We are happy to share changes to the Cisco Threat Grid support experience! Our customers have spoken, and we have listened! You want a single, streamlined, easy to access tool to open, view, and update your cases across Cisco Services. That tool is Cisco’...
Where can I find out how to integrate my Cisco products with Threat Response?
There are quick start guides and instructional videos to help you get set up with your Cisco products and the Cisco Threat Response platform.
Inviting all Security & Networking professionals! We want you to tell us what devices you use to do your work and its screen resolution. Your response will help us improve network and security management tools.
Click here to take the 5-minute s...
This guide is intended to show some nifty and powerful use cases that a lot of customers either want or don’t know they want. There are tons of other content out there for specific knobs or capabilities, but this is looking to be a more complete...