Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

IPS SENCORS ALLOCATIONS

Hello

Please Expert , examine the attached digaram and tell if you do agree with my interfaces allocation of the dedicate IPS 4215,looks like one is the C&C on the Inside,

in order to lanch the IDM mangment, and the other 2 sensors interfaces looks lile one sensing on the outside and one sensing on the DMZ along with the inline mode

to fully protect the the I-BANKING and the SMS server,so plz advise me for the optimum and Robust design that is switable to my attached topology

Waitng ur kind response

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Re: IPS SENCORS ALLOCATIONS

Hello,

To have best protection you should be in inline mode and the design would  depend on whether you have vlan on your DMZ or not.

Do you have Vlan in your DMZ segment ?

regards

3 REPLIES
Community Member

Re: IPS SENCORS ALLOCATIONS

Hello,

To have best protection you should be in inline mode and the design would  depend on whether you have vlan on your DMZ or not.

Do you have Vlan in your DMZ segment ?

regards

Community Member

Re: IPS SENCORS ALLOCATIONS

hello

yes i have vlan for DMZ

Community Member

Re: IPS SENCORS ALLOCATIONS

Hello,

after a quick verification on Cisco Website, it seems that the 4215 is end-of-life and sales so it would be better to upgrade the hardware before putting in production a device which will face a lack of support.

In regards to the design you have two options in my view :

1. INLINE MODE with inline vlan pair or vlan group in the case where your servers are in different vlan in DMZ

2. PROMISCUOUS MODE with shun depending of the type of router or switch that you have

I added promiscuous mode in regards to your statement about availability.

In regard to your environment the options for availability are :

1. hardware and/or software bypass, I'm not so sure if the harware bypass card is supported by the 4215 device

2. install a second IPS or use a cable between the switches where IPS is connected. In this case you'll need spanning-tree configuration on ports

I'm not convinced about about the efficiency of the sensing link outside the network, may be for anomaly detection purposes ?

Regards

340
Views
0
Helpful
3
Replies
CreatePlease to create content