Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPS confusion, how the direct the traffic from 6509

Hi all, please see the pdf document I've attached. I'll start to explain some scenario I'm facing currently.

i. SegmentA,B,C and D have their server directly connected to the 6509 modules. The port is configured as switchport.

ii. There's member connecting to Distribution router via LL need to access the 4 mentioned segments.

iii. Now came a new requirement of securing the 4 segment, whereby there's a third party vendor proposed to introduce an IPS for the core switch. IPS will be configured in bridged mode and support trunking as well.

iv. In order to make it work, the vendor told me traffic that destined to the 4 segment need to pass through his IPS and out then only go to the destination.

Is that a normal practice of how people implementing IPS? At the first place I'm thinking of adding a new switch and connect all the 4 segment to the new switch. Create a trunk from the switch to the 6509. The IPS can sit between the switch and 6509 then problem solved, but may be it is not as easy as I've imagined.

Guys, any ideas?

4 REPLIES

Re: IPS confusion, how the direct the traffic from 6509

Hi,

First of all I will ask, whether you have a firewall in this scenario to filter the traffic coming out from the routers. If you dont have the firewall here, it will put a hell lot of CPU overhead on your IPS to do the prevention.

Generally you will connect the IPS on the same vlan as your routers are connected and sniff the ports on which the routers are connected. If you have firewall (which is most of the case ) people connect a switch to 6509 and put your Firewall and routers on the switch and put the IPS on 6509 and sniff the Firewall's inside port connected on the 6509. This will filter the unnecceary traffic at the firewall and will sniff only the intersting traffic allowed by the firewall.

HTH, if it does please rate the post.

-amit singh

New Member

Re: IPS confusion, how the direct the traffic from 6509

nope, we don't have a firewall for the scenario, I don't know whether the IPS can handle the CPU overhead but that's the other vendor's issue anyhow.

What I'm concern is, segmentA,B,C and D all fall in different vlan. When the packet entering 6509, it already know where's the exit point is (the switchport that connect to those segment's server), how we can direct the traffic to go through the IPS before going to the right exit point?

Forget about the switch, customer want to maintain the connection between the distribution router to 6509 (the port connecting from 6509 to the distribution router is configured as a router port, not switchport). And their budget is only allowed for the IPS, no other equipment else. Since the port connecting to distribution router is not switchport, where should they put the IPS in?

New Member

Re: IPS confusion, how the direct the traffic from 6509

anyone can lend a helping hand here?

Bronze

Re: IPS confusion, how the direct the traffic from 6509

Since you need to direct the packets out to another device, you might have to point a default route out to that device and then perform another default route back into your network from the IPS.

Might work for now.. but Im sure there is a more elegant solution to this.

104
Views
0
Helpful
4
Replies