• October 6, 2024

Inline Mode Essentials – Cisco IPS-Only Deployment in Inline Mode

Inline Mode Essentials

A threat defense supports a wide variety of block actions, such as simple blocking, blocking with reset, interactive blocking, and interactive blocking with reset. However, a block action cannot drop any suspicious packet if the interfaces are misconfigured or set up with an improper mode.

Figure 6-1 shows a list of the actions that you can apply to an access control rule. Note the different types of block actions a threat defense supports.

  

Figure 6-1 Available Actions for an Access Control Rule

A threat defense enables you to choose any interface mode, regardless of the underlying deployment mode—routed or transparent. However, ultimately, the capability of an interface mode defines whether a threat defense is able to block any suspicious traffic it sees.

Table 6-2 lists various threat defense modes and describes their capabilities to block traffic. The deployment mode in this table defines how a threat defense functions as a firewall. The interface mode defines how a threat defense acts on the traffic in case of any suspicious activities.

  

Table 6-2 Capability to Block Traffic in Various Modes

Deployment Mode

Interface Mode

Able to Block Traffic?

Routed

 Yes

Transparent

 Yes

 Inline

Yes

 Inline-tap

No

 Passive

No

 Passive (ERSPAN)

No

Inline Mode Versus Passive Mode

An intrusion detection and prevention system can detect suspicious activities and prevent network attacks. You can deploy a threat defense either as an intrusion detection system (IDS) or as an intrusion prevention system (IPS). To prevent any potential intrusion attempt in real time, you must deploy a threat defense in inline mode. In inline mode, the ingress and egress interfaces are bundled into an interface pair. Each pair must be associated with an inline set, which is a logical group of one or more interface pairs.

Figure 6-2 illustrates how two interfaces (GigabitEthernet0/0 with GigabitEthernet0/1 and GigabitEthernet0/2 with GigabitEthernet0/3) can build the inline pairs. Note that both of the inline pairs are included in Inline Set 1 in this illustration.

  

Figure 6-2 Understanding an Inline Interface, Interface Pair, and Inline Set

A threat defense in passive mode, in contrast, detects intrusion attempts but is unable to block them. A switch or tap mirrors all the packets it receives and sends a copy of each packet to the threat defense using port mirroring. Because the original traffic does not go through a threat defense, the threat defense is unable to take any action on a packet. In other words, a threat defense in passive mode cannot stop an intrusion attempt; it can only detect an attempt based on the traffic it sees.

Figure 6-3 provides an example of a typical threat defense deployment. The topology shows two threat defense devices deployed in two different modes—inline (IPS) and passive (IDS).

  

Figure 6-3 Architectural Difference Between Inline and Passive Deployment Modes

Leave a Reply

Your email address will not be published. Required fields are marked *