Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Recommendations for IPS in Medium-Sized LAN?

I have two ASA-5520's in active/standby mode servicing a 500-node LAN w/ 1 outside interface, 1 inside interface, and 1 DMZ. How best to implement IPS, preferably using integrated modules, and without introducing a single point of failure? Also, what software would I need to install & manage IPS? Can it be managed thru ASDM or is something like Cisco Security Manager (CSM) necessary? TIA!


Re: Recommendations for IPS in Medium-Sized LAN?

You don;t mention if you want to do in-line IPS or promiscious mode IDS.

We'll assume you want in-line IPS. You'll need an AIP-SSM module in each ASA5520 chassis. they will operate independantly (unlike the firewalls that maintain state between them), and you'll suffer a little when traffic fails over between active and standby ASAs. The size of the AIP-SSM modules will depend on how much traffic you're pushing thru your firewall interfaces that require inspection, including your DMZs. Don't believe the Cisco performance numbers. Since you only have two IPS sensors I wouldn't reccomend CSM. use the CLI, build in GUI or the free up-to-5-sensor management application.

Community Member

Re: Recommendations for IPS in Medium-Sized LAN?

Yes, we want to do in-line IPS. Thanks for the fast response!

CreatePlease to create content