Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

IDS-4210

I noticed that the model IDS-4210 does not do INLINE inspection on software 5.1(3)

Will it do on newer versions ? or the 4210 cannot do it period ?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: IDS-4210

Yes and No

The scheme you wrote up is right, but it does NOT route between vlan 1 and vlan 2.

The IPS will instead switch or bridge packets between vlan 1 and vlan 2.

What this means is that the IP Address on the router's vlan 1 interface MUST be in the same IP Subnet as the IP Address on the inside vlan.

The IPS will simply take the packets on vlan 1 and put them on vlan 2 (and vice versa), it will not "route" packets between 2 IP Subnets so the same IP Subnet must be used in both vlan 1 and vlan 2.

3 REPLIES
Cisco Employee

Re: IDS-4210

There are 2 types of inline inspection:

inline interface pairs - 2 physical interfaces are paired together and the inspection is done inline as the packets are passed between the 2 interfaces

inline vlan pairs - 1 physical interface is connected to a switch using a trunk port, 2 vlans on the trunk port are paired together and the inspection is done inline as the packets are switched between the 2 vlans

The IDS-4210 only have one monitoring interface, and so you can not create inline interface pairs.

But the IDS-4210 Does support inline vlan pairs on that one monitoring interface.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/cliguide/cliinter.htm#wp1057307

Community Member

Re: IDS-4210

Thank you

But one more question

The 4210 would have to act like a router to direct the packets from the internet to the inside network ?

I tried to look on configuration guides but they have no examples.

I assume that the network scheme would look something like this:

router ---vlan1

IDS ---vlan1/2

inside ---vlan2

am I right ?

PS. thank you marcabal for your post

Cisco Employee

Re: IDS-4210

Yes and No

The scheme you wrote up is right, but it does NOT route between vlan 1 and vlan 2.

The IPS will instead switch or bridge packets between vlan 1 and vlan 2.

What this means is that the IP Address on the router's vlan 1 interface MUST be in the same IP Subnet as the IP Address on the inside vlan.

The IPS will simply take the packets on vlan 1 and put them on vlan 2 (and vice versa), it will not "route" packets between 2 IP Subnets so the same IP Subnet must be used in both vlan 1 and vlan 2.

147
Views
10
Helpful
3
Replies
CreatePlease to create content