04-19-2010 02:42 PM - edited 03-10-2019 04:57 AM
Hi all,
We have a 6500 core switch and a ASA facing the internet. The 6500 core switch has any traffic from inside or outside flowing through it. I plan to deploy IPS/IDS devices in our network. It seems I can put IPS module for ASA at internet edge. Or I can put a IPS module in 6500 switch. The other solution is to put a 4200 series IPS/IDS. But I prefer the intergrated module solution.
I think putting IPS module at ASA only checks the traffic from the internet or out to the internet. For the internal traffic, like one remote office accesses the other one, this kind of traffic can't be monitored by IPS at ASA. So I'm thinking to put IPS module at 6500 may make more sense since every traffic must go through there.
Am I correct? Any advice is appreciated.
Lou
04-19-2010 02:49 PM
Yes, you can have the IDSM2 module in your CAT 6K. However, please check how much traffic will be traversing the IDSM2 module since you mention internal as well as traffic towards the internet. Please ensure that the performance of the internal traffic is not impacted. Also depends on whether you will be configuring the IPS in promiscuous or inline mode.
Here is the datasheet for IDSM2:
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_data_sheet09186a00801e55dd.html
You might even want to bundle a few IDSM2:
Hope that helps.
04-19-2010 02:52 PM
Thank you! So I would say internal traffic is up to 5 Gbps. I notice that ISDM module only support 2Gbps. That might be a problem. Even two ISDM is not enough. So FWSM can't do the IPS/IDS function, right?
04-19-2010 02:57 PM
No, unfortunately FWSM does not perform the IPS functionalities.
You might want to look at the IPS appliances, and devide traffic that is being sent to the IPS to cater for your internal traffic.
Here is the datasheet for IPS appliance for your reference:
04-19-2010 03:01 PM
Thanks. So can I specify which interfaces in 6504 go to which 4200 appliance? If so, I can easily split up the traffic to prevent maxing out the capacity of IPS/IDS appliance. Thanks.
04-20-2010 06:09 AM
Here is a design guide for your reference:
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns376/c649/ccmigration_09186a008078e021.pdf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide