Dears
i am introducing F5 SSLO orchestrator service in my network, On the F5 SSLO orchestrator i am connecting Cisco IPS 4000 series , Currently IPS is connected inline on the traffic path with pair of interface in and out as an bump in the wire, now the plan is to move out from this inline path and connect to F5 SSLO box which will be acting as an bump in the wire and it will direct the traffic to security tool such as IPS connected on f5 SSLO.
Example for traffic flow: Traffic enters the f5 SSLO, it decrypts the traffic and send it to security tools attached to it such as IPS, IPS inspects the traffic and returns the traffic from the same interface to the SSLO , SSLO re encrypts the traffic and send it to the end user
My question: I want the 4000 series IPS to be setup in one arm mode is this possible ?, in previous setup i was using two interface but now i want to move to one interface (in & out from same interface) with blocking action.
IPS deployment modes
- Inline mode need 2 interface 1 for in and 1 for out and it can do prevention
- Inline tap mode need 3 interface 1 for in and 1 for out and 1 for TAP connection and it can do detection only
- Passive mode need only 1 interface that will work as only detection and not prevention
How can i achieve with single interface blocking mode
Please find the attached with 2 interface what problems i can face.
Lets assume if i connect two interface to the switch as per the attached and configure the deployment method of IPS as an transparent then on the switch i think any one of the interface will be in blocking mode due to spanning tree. Please correct me if i m wrong.
https://community.cisco.com/t5/security-blogs/demystifying-firepower-deployment-modes/ba-p/4725447
Thanks
