10-08-2009 01:10 PM - edited 03-10-2019 04:47 AM
Hi folks,
I have a stupid question to ask. We are about to deploy a number of IPS42xx appliances. There's no free ports on the switches to connect their sensing interfaces to the switch SPAN port. Is there any way to use a pair of the sensor's interfaces to send traffic through the sensor but the sensor itself should be running in IDS (monitoring) mode. The client might opt to switch to real IPS (inline) mode after they tune their signatures. And it should be just changing the settings on the sensor not reconnecting cables.
Help please!!!
10-09-2009 07:48 AM
If you place the sensor in line with teh traffic, then it will need to operate in the in line mode, with all the risks associated with that (latency, sensor availability/uptime, etc). You can turn off all the drop actions (check those normalizer sigs carefully, they don;t even report when they fire) either on a sig by sig basis or with a broad Event Action Overide.
10-09-2009 08:42 AM
Thanks, Hermes.
I figured that Event Action Filter is the answer to my question. How much latency is introduced to traffic flows if they traverse inline sensor as opposed to a real promiscuous mode when the sensing port is connected to the SPAN-ed switch port?
10-10-2009 05:35 AM
This would depend on the amount of traffic you push through the sensor. If its within reasonable ranges of the sensor's throughput/processing power, the delay will be acceptable. If its more, its going to invite troube :)
Regards
Farrukh
10-13-2009 11:58 AM
Thanks for all advice, folks.
May I ask a relevant question? I came across an article at Cisco's site
https://learningnetwork.cisco.com/docs/DOC-4381 named "Understanding Cisco IPS Interface Types and Modes". It was a revelation to me that if IPS runs in inline mode a pair of inline interfaces should be L2 separated with different VLANs. I'm quoting Yusuf Bhaiji words:
Note that a Layer 2 segmentation is required for inline mode to work; that is, the client and the first interface are on a separate VLAN, whereas the server and the second interface are on a separate VLAN, as shown in Figure 2. The Layer 3 network remains unchanged.
Never heard about it and never found anything relevant to it in other Cisco guides.
Can anyone confirm or disprove it ?
Eugene
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: