just simple question regarding implementation of IPS 4260 inline mode between PIX and core router. IS it possible just to connect pix inside interface with one IPS interface, and another COre iterface with IPS interface and to create inline-interface-pair. Or I have to create another VLAN pair on Core router just to span traffic through IPS, using additional ports on router? Thanks on advance
Yes you can create another interface pair for the redundant Pix Router connection.
However, you do not need to create a second virtual senosr. the pair for the redundant connection can stay in the same virtual sensor as the original pair.
However, understand that you now have made the 4260 a single point of failure.
This may be acceptable for you if using the 4 GE TX ByPass card. If the 4260 analysis software fails then the internal software bypass mechanism will kick in to pass packets through uninspected, and if the entire OS fails then the hardware bypass within the NIC itself will kick in and pass the packets uninspected.
This hardware bypass card is currently only available in TX copper and not SX fiber.
And is only avialable on the 4260.
If you are not using a 4260 or not willing to rely on the signle sensor then their are additional alternatives.
Purchase a small switch that can handle 2+ Gigs of traffic.
Create vlan A.
Plug both Pixes into Vlan A.
Create vlan B.
Plug both Routers into Vlan B.
Now create just one inline interface pair and plug the first interface into vlan A, and plug the second interface into vlan B.
Now the single interface pair of the sensor can pass traffic between either of the 2 Pix firewalls and either of the 2 routers.
If the sensor fails the hardware bypass NIC will still be able to kick in and pass the traffic.
You can then add another layer of protection and take a simple wire and plug one end into vlan A, and the other end into vlan B.
Spanning tree will detect that both the sensor and the wire are providing redndant paths and will place one in a blocking state. If necessary modify the spanning tree parameters so the switch prefers the sensor connection over the wire connection. Packets will only pass through the wire if the sensor interfaces are down.
Understand, however, that most switches will generate native vlan mismatch errors in this configuration. You can disable cdp to prevent these warnings.
If you are not using a 4260 and therefore won't benefit from hardware bypass NICs you could also do this with an inline vlan pair on a single interface connected to a trunk of the 2 vlans.
Another alternative is to also use a second sensor for IPS redundancy instead of a wire.
Yes for inline monitoring the IPS-4260 can be placed between the Pix and router.
On the 4260 create an InLine interface pair using 2 of the sensor's interfaces, and assign it to virtual sensor vs0.
If necessary configure the speed and duplex settings of the 2 interfaces of the 4260 so they will match any hardcoded speed and duplex settings that may already be on the Pix and router.
Unplug the existing connection between the Pix and router. Plug that Pix interface into one of the sensor's interfaces in the pair, and plug that router interface into the other sensor's interface of the pair.
The sensor should now be able to do inline monitoring between the Pix and router.
No configuration modifications are needed on the Pix or router when using the above method for adding in the 4260 inline interface pair.
You will, of course, want to do this during a scheduled downtime for your network.