Is it possible to configure the IPS like the topology below ? SW1's and SW2's connection ports to the IPS is in trunk mode. I would like to configure the IPS in inline interface pairing mode. ( not vlan pairing mode )
Yes, this method is fully supported.
If you want to monitor all of the vlans with a single virtual sensor, then assign the inline interface pair to the virtual sensor.
If you want to monitor vlans with different virtual sensors, then we support vlan groups on this inline interface pair.
Don't confuse "inline vlan pairs" with "inline vlan groups on an inline interface pair"
The "inline vlan pair" will pair 2 vlans on the same interface. When a packet comes into the sensor it will be sent back out the same interface with it's vlan header changed.
The "vlan groups" on an inline interface pair do NOT change vlan headers.
They are just used for grouping vlans together so that the group of vlans can then be assigned to a specific virtual sensor.
So you might take one group of vlans for your employees desktop network and assign them to vs0, and take a second group of vlans for your DMZ and assign them to vs1.
You can place a single vlan within each vlan group, or you can place multiple vlans within each vlan group.
But it really only makes sense to have 4 vlan groups because you only have 4 virtual sensors on most devices (some like the 4215 only have 1 virutal sensor so you can't do vlan groups on the 4215).
I would also recommend you modify your virtual sensor and set the Inline TCP Session Tracking mode to "Interface and Vlan". This way the sensor will separately monitor connections on each vlan. This is necessary if a router may route traffic between multiple vlans. Without this setting the sensor will become confused if it sees the same connection on multiple vlans.