We have a customer who has a couple of FirePower AMP 8150 for IPS purposes (I know, they're EoS but they have them for a while and now they wanna use them) and he's asking about the possibility of using these IPS using Inline vlan pairing (like an IPS on a stick configuration) instead of a more common Inline set mode topology. I was wondering if these IPS devices support this type of configuration and if it does, what are the best practices for HA design in this type of scenarios (I haven't found any good documentation for this). I attached a diagram of the proposed design.
Basically, IPS are connected to a pair of Nexus 7K switches with vPC in Trunk Mode, allowing only the relevant VLANs. Firewalls are connected the same way to the pair of Nexus 7K switches but in access mode on VLAN 20, also the next hop for the server networks is the VIP for the firewall (10,10.10.254 for example). So the traffic flow should be like this:
N7K Switches try to send traffic to firewall (10.10.10.254) sends the ARP packets on vlan 10, IPS intercepts them and with the Vlan pairing sends them to Vlan 20, Firewalls get them on Vlan 20 and respond accordingly and once the adress resolution is done all traffic flows follow the same path. I've seen documentation and other threads here that say this is possible but referencing to other IPS devices like the 4000 series, I'm just not sure if the AMP 8150 supports this and how the HA would work and the best practices for it (like STP considerations).
Inline VLAN pairing on NGIPS can be created using a switched interface and logical switched interfaces. Basically the physical interface needs to have Switched mode, and then logical switched interfaces with specific VLAN tags can be added.
Hi All, A customer wants to authenticate Anyconnect VPN users from an ASA using the client installed certificate and then with AD. i.e. Is this a corporate device?Would we recommend authenticating the cert on the ASA then passing the AD check to ISE ...
Hello Team, we are getting alert in FMC stating policy deployment failed, we are running on 6.2.0 version and not sure which version is stable version to re mediate this issue, in one event i have seen restart will resolve this issue but is it perman...
Threat Hunting 101
In the latest Cisco Cybersecurity report, we explore all there is to know about threat hunting and provide a how-to guide for creating a threat hunting team.
Here are some of th...
What Is Cisco Identity Services Engine?
Cisco Identity Services Engine (ISE) is an all-in-one enterprise policy control product that enables comprehensive secure wired, wireless, and Virtual Private Networking (VPN) access.
Cisco ISE offers...
To participate in this event, please use the button to ask your questions
(This event was formerly know as Ask the Expert event)
This topic is a chance to discuss more about the best configuration and troubleshooting pr...