Showing results for 
Search instead for 
Did you mean: 


Firepower Threat Defense on ISR - DMVPN Phase 1 spoke to spoke traffic

If we are using an ISR 4000 series as a DMVPN hub (DMVPN Phase 1) and want to run a Firepower sensor on a UCS-E series compute module within that module, will the sensor see spoke to spoke traffic bouncing off the hub.  If so, are we limited to IDS mode or is inline IPS mode possible? 


Best I can tell based on the link below is that traffic needs to physically come in through a front panel port, be bridged to the sensor, then sent back to the router for it to be in IPS mode.  That would not include DMVPN spoke to spoke traffic I would think.  Finally, if we are able to do IPS mode for the traffic specified, are we able to write zone based firewall rules on the sensor?  There is mention in Cisco docs that ZBFW is not supported on BDI in IPS mode so I would hope those rules would be written on the sensor.


Worst case scenario we can just do IOS ZBFW and IOS Snort IPS, however I don’t want to spend $$$ on a UCS-E series then find out I can’t do what I need to do.


Everyone's tags (1)