IPS/IDS design que

pandapritam · ‎05-26-2012

Hi,

Design Description:

We have a 6500 series switch where my ISP Point-to-Point link got terminated. Where we have configured OSPF on the 6500 series switch to have all the roots from ISP.
We are getting 3 numbers of /24 public IP subnet Pool for my servers from ISP. I have configured SVI in 6500 series switch for all my server segment.

we have 2 number of 4260 IPS appliance having 4G ports connected to 6500 series switch.

Requirement:

1. I need to implement IPS functionality to 2 of my Public IP server segment (i.e. X.X.X.X/24 and Y.Y.Y.Y/24)
2. Need IDS functionality for 3^rd server Segment. (i.e. Z.Z.Z.Z/24)

So Please suggest how can I achieve my goal. Where exactly I need to put my IPS box to have In-line and promiscuous for IPS and IDS server segment? Also suggest what are the configuration changes required.

Todd Pula · ‎05-30-2012

You could look at implementing an Inline VLAN Pair configuration for the two segments that you need to provide IPS functionality. This could be done using a single gigabit trunk from the 4260 to the 6500 or you could look at EtherChannel Load Balancing multiple links to provide for bandwidth aggregation and redundancy. Inline VLAN pairing will require you to add additional VLANs to the design as highlighted in the document below. The 4260 will then perform VLAN bridging between pairs of VLANs on the configured trunk. For the IDS requirement, you could configure an additional interface on the 4260 in promiscuous mode and then redirect traffic from the specific source VLAN using a SPAN or VACL on the 6500.

http://www.cisco.com/en/US/customer/docs/security/ips/7.0/configuration/guide/cli/cli_interfaces.html#wp1047718