Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

IPS 4270 sensors on "Inline-On-A-Stick" Mode

Hello,

We are planning to user VLAN pair mode using Ether channel trunks (Inline-on-a-stick) mainly to over come the lack of 10 GigE interfaces which would prevent us from adopting traditional in-line architecture for firewalls with 10 GigE interfaces.

Do you or your customers have experience with Inline-on-a-stick? Could you please share your advices and any word of caution we need to keep in mind?

I do know the Bypass can't work in this mode, which we are planning to address by deploying multiple IPS 4270 appliances and Ether Channels.

Any suggestions are appreciated!

Thanks,

Antony

2 REPLIES
Gold

Re: IPS 4270 sensors on "Inline-On-A-Stick" Mode

With VLAN pairs you need to be aware of the "sharing" going on between the two VLANS on the same GigE interface. Each VLAN should be loaded to no more than 50%.

I would reccomend an external VLAN bypass for when the sensor takes a nap, reloads or gets an OS update. I've done this with an alternate path between the two VLANS with a higher Spanning Tree cost. If you play with the SPT parmeters you can get the switchover down to under a second.

New Member

Re: IPS 4270 sensors on "Inline-On-A-Stick" Mode

Thanks for the reply Robert,

You raised very important points about the VLAN sharing and alternate path. Appreciate the help.

- Antony

259
Views
10
Helpful
2
Replies
CreatePlease to create content