Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

IPS Scheme

Is it possible to have 4 sensors at the same time for the IPS 4255 in Bypass mode?

The idea its to have monitoring 4 differente interfaces connected to onle 1 IPS and if the IPS fail the traffic must continue the flow without stop.

I attach an image of the physical scheme.

Regards,

2 REPLIES
Gold

IPS Scheme

Yes you CAN do that with the hardware failopen feature of the 4255. You do not have "4 sensors" you actually have one IPS sensor with two in-line segments.

The reason you might NOT want to to do that are the IPS Sensor becomes a single point of failure. If the software crashes it may not go into hardware bypass. An external (to the IPS Sensor)  failopen path would eliminate this danger.

You don't specify what the top switch is in your drawing, but assuming you had additional ports available on the top switch and your 3550 stacks on the bottom, you could run an additional Ethernet cable between the top switch and each of the 3550's. Give this path a HIGHER Spanning Tree Protocol cost than the STP assigned to teh path thru the 4255 IPS Sensor. This way if the sensor ever stops passing Layer 2 BPDU's the switches will use the alternate (hot standby) path for failopen.

- Bob

Community Member

IPS Scheme

how will be this kind of physical connection? I mean how many port from the IPS will I need, the zone with 3750 its not connected to the 6500 Series SW, I attach an image of the full scheme, the 3750 are in a DMZ zone.

348
Views
0
Helpful
2
Replies
CreatePlease to create content