We have a customer who has a couple of FirePower AMP 8150 for IPS purposes (I know, they're EoS but they have them for a while and now they wanna use them) and he's asking about the possibility of using these IPS using Inline vlan pairing (like an IPS on a stick configuration) instead of a more common Inline set mode topology. I was wondering if these IPS devices support this type of configuration and if it does, what are the best practices for HA design in this type of scenarios (I haven't found any good documentation for this). I attached a diagram of the proposed design.
Basically, IPS are connected to a pair of Nexus 7K switches with vPC in Trunk Mode, allowing only the relevant VLANs. Firewalls are connected the same way to the pair of Nexus 7K switches but in access mode on VLAN 20, also the next hop for the server networks is the VIP for the firewall (10,10.10.254 for example). So the traffic flow should be like this:
N7K Switches try to send traffic to firewall (10.10.10.254) sends the ARP packets on vlan 10, IPS intercepts them and with the Vlan pairing sends them to Vlan 20, Firewalls get them on Vlan 20 and respond accordingly and once the adress resolution is done all traffic flows follow the same path. I've seen documentation and other threads here that say this is possible but referencing to other IPS devices like the 4000 series, I'm just not sure if the AMP 8150 supports this and how the HA would work and the best practices for it (like STP considerations).
Inline VLAN pairing on NGIPS can be created using a switched interface and logical switched interfaces. Basically the physical interface needs to have Switched mode, and then logical switched interfaces with specific VLAN tags can be added.
This is to address those customers coming to ISE from ACS or new to ISE that need a password change portal (UCP)
What are the licensing requirements for this solution?
My Devices - For using the password change with My Devices you need plus licenses as ...
In this paper we will document the configuration and operation of an integrated solution that includes identity management, firewall, cloud-based management, and cloud-based logging.
We will use the following Cisco products:
These days everything is in the cloud. We all know that Cisco Firepower Threat Defense (FTD) is a unified software image, which includes the Cisco ASA features and FirePOWER Services. Using Cisco Defense Orchestrator (CDO), you can manage physical or virt...
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that provides a simple, consistent, and highly secure way of managing security policies on all your ASA devices. CDO helps you optimize your ASA environment by identifying problems wi...