Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1806
Views
0
Helpful
1
Replies

Firepower AMP 8150 Inline Vlan Pair mode

eric.ahernandez
Level 1
Level 1

‎02-28-2019 12:12 PM

Hi all,

 

We have a customer who has a couple of FirePower AMP 8150 for IPS purposes (I know, they're EoS but they have them for a while and now they wanna use them) and he's asking about the possibility of using these IPS using Inline vlan pairing (like an IPS on a stick configuration) instead of a more common Inline set mode topology. I was wondering if these IPS devices support this type of configuration and if it does, what are the best practices for HA design in this type of scenarios (I haven't found any good documentation for this). I attached a diagram of the proposed design.

 

Basically, IPS are connected to a pair of Nexus 7K switches with vPC in Trunk Mode, allowing only the relevant VLANs. Firewalls are connected the same way to the pair of Nexus 7K switches but in access mode on VLAN 20, also the next hop for the server networks is the VIP for the firewall (10,10.10.254 for example). So the traffic flow should be like this:

 

N7K Switches try to send traffic to firewall (10.10.10.254) sends the ARP packets on vlan 10, IPS intercepts them and with the Vlan pairing sends them to Vlan 20, Firewalls get them on Vlan 20 and respond accordingly and once the adress resolution is done all traffic flows follow the same path. I've seen documentation and other threads here that say this is possible but referencing to other IPS devices like the 4000 series, I'm just not sure if the AMP 8150 supports this and how the HA would work and the best practices for it (like STP considerations).

 

Thanks all.

Labels:
Preview file
52 KB
0 Helpful
1 Reply 1

Ilkin
Cisco Employee
Cisco Employee

‎03-08-2019 01:50 PM

Inline VLAN pairing on NGIPS can be created using a switched interface and logical switched interfaces.
Basically the physical interface needs to have Switched mode, and then logical switched interfaces with specific VLAN tags can be added.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card