05-01-2012 01:02 PM - edited 03-10-2019 05:39 AM
Given that I have same topology as shown in Internet Edge Cisco IPS Design Best Practices and basically inserting 4270 Appliance into an INLINE mode.
Core and Distribution Switch = Layer-3 routed links
Distribution Switch and ASA = Layer-2 access port
I'm wondering how IPS sensors be configured? I think I understand belows method but since my Core/Distrib is a layer-3 links, not sure which method gonna work since most require two vlans ...
1. Interface Pairing
2. VLAN Pairing
3. VLAN Group
Anyone has same experience?
Thanks in advance ...
Gerard
05-02-2012 02:59 PM
Our IPS sensors are Layer 2 devices. A base 4270 appliance will have a total of four sensing interfaces. You could use two and put the appliance inline as a Layer 2 bump-in-the-wire between the distribution switch and the edge firewall. As all Internet bound traffic will traverse the appliance in this design, care needs to be taken to ensure that you don't oversubscribe the hardware (2GB transactional/4GB media rich). If you only wanted the sensor to inspect specific distribution VLANs, you could look at using inline VLAN pairs which will effectively make the appliance an IPS-on-a-stick. The IPS in this case will handle the bridging between the configured VLANs. Additional care needs to be taken in active/active paths to ensure that traffic flows symmetrically through a single appliance. In cases where this is not possible, you will need to look at the asymmetric mode option.
05-07-2012 11:50 AM
I have a 4270-20 positioned at the edge of my network. It sits between the outside of the firewall and our Internet router. The only problem with this model is that it makes tracking down threats very difficult, as the only thing you will ever see are the NAT'd public IPs for all your traffic.
To get around this limitation, we created an addition interface in promiscuous mode and we SPAN the traffic on the link between our core switch and the internal interface of our firewall to it. This gives us complete outside protection and inside visibility. This is still not an ideal setup and we are in the process of re-architechting our internal traffic so that we can run two in-line pairs on the IPS. One internal, and one external.
The best way to go, is having the IPS in the firewall itself, but throughput on firewalls is often a concern, and unfortunately for Cisco, quite a limitation.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide