cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
1857
Views
25
Helpful
5
Replies
Beginner

IPS Inline Interface Mode - Can you use a port-channel?

Hi,

I'm trying to determine if you can have a 2-gig Layer-3 Port-channel going thru an IPS 4260 appliance. See attached diagram. Is this possible?

The client I'm working with would prefer not to break this Port-channel into equal-cost 1-gig links (I don't think there will be any performance difference...) However I'm thinking if they want the appliance inline like the diagram shows - they will need to break the port-channel. Is that a correct assumption?

Thanks,

Brad

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: IPS Inline Interface Mode - Can you use a port-channel?

Asymmetric traffic will prevent the sensor functioning the best it is capable. There is a configuration that can be made to allow the sensor to deployed in an asymmetric environment, BUT it can negatively affect the sensor ability to detect attacks, allows through evasions that would have otherwise been prevented, and will in general affect sensor performance.

So running in asymetric mode should be avoided if at all possible. Bt in those situations where it can't then the sensor can still be used with degraded functionality.

Traffic spikes above what the sensor can handle will cause dropped packets. There is no fail-open for too much traffic.

The fail-open you are referring to I am assuming is the bypass mode feature. The bypass feature does not affect over subscription of the sensor. The bypass feature will only kick in if the analysis engine crashes because of a bug.

View solution in original post

5 REPLIES 5
Cisco Employee

Re: IPS Inline Interface Mode - Can you use a port-channel?

Yes this is possible.

It will require 2 InLine Interface Pairs on the sensor and both pairs should be added into the same Virtual Sensor.

The 4260 will not be aware that etherchannels are used on both sides, and does not need to be aware.

This may,however, require manual enablement of the etherchannels.

Also keep in mind that the performance in this setup will be limited to what the IPS-4260 is able to perform with that traffic.

If the IPS is only able to monitor 1 Gbps (which is its rating for Transactional traffic tests), then having the 2 InLine Interface Pairs will not give them any more performance than a single pair would.

If the IPS is able to monitor more than 1Gbps of their traffic (it is rated at 2Gbps for Media Rich tests), then the additional pair will allow the sensor to get to the above 1 Gbps monitoring.

If the 4260 is not able to keep with the traffic, then an upgrade to a 4270 using the same deployment setup may be necessary.

NOTE: This also assumes that only the left or right path are actively passing traffic at any one time. If both paths are passing traffic, then asymmetric traffic patterns can result. if asymmetric traffic is seen, then another deployment should be considered, or specifial configuration be placed on the sensors.

NOTE: This setup only works when a single sensor is used within the etherchannel. (1 sensor on each etherchannel, 2 sensors in your diagram because you have 2 etherchannels).

You can not place 2 sensors in the same etherchannel (would mean 4 sensors in your diagram).

This is because the balancing being done from the lower switch can not be guaranteed to match that being done from the top switch. A mismatch in balancing could lead to asymmetric patterns.

With a single sensor, the same virtual sensor sees all traffic regardless of which interface the packet comes in on, so a single sensor is fine. But with 2 sensors, the client traffic might get sent to a different sensor than the server traffic.

Highlighted
Beginner

Re: IPS Inline Interface Mode - Can you use a port-channel?

Thanks Marcoa,

If traffic is asymmetric - and either the IPS1 or IPS2 cannot see the entire flow - then I'm guessing this design will not work or will be ineffective?

Also - if traffic would spike, the IPS will just fail it open (if configured) and just not inspect that traffic correct?

Thanks again,

Brad

Cisco Employee

Re: IPS Inline Interface Mode - Can you use a port-channel?

Asymmetric traffic will prevent the sensor functioning the best it is capable. There is a configuration that can be made to allow the sensor to deployed in an asymmetric environment, BUT it can negatively affect the sensor ability to detect attacks, allows through evasions that would have otherwise been prevented, and will in general affect sensor performance.

So running in asymetric mode should be avoided if at all possible. Bt in those situations where it can't then the sensor can still be used with degraded functionality.

Traffic spikes above what the sensor can handle will cause dropped packets. There is no fail-open for too much traffic.

The fail-open you are referring to I am assuming is the bypass mode feature. The bypass feature does not affect over subscription of the sensor. The bypass feature will only kick in if the analysis engine crashes because of a bug.

View solution in original post

Beginner

Re: IPS Inline Interface Mode - Can you use a port-channel?

Wow - I had no idea it would drop traffic if it went over the inspection theshhold...errrr...Do the ASA IPS modules behave this way as well?

Thanks again - this has been a huge help.

Brad

Rising star

Re: IPS Inline Interface Mode - Can you use a port-channel?

Yes, all the IPS Sensors will drop packets. Check your interfaces and you will see a "missed packet %" that is calculated from the time of last reload. These are packet drops.

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here