Inline Mode Essentials – Cisco IPS-Only Deployment in Inline Mode
Inline Mode Essentials
A threat defense supports a wide variety of block actions, such as simple blocking, blocking with reset, interactive blocking, and interactive blocking with reset. However, a block action cannot drop any suspicious packet if the interfaces are misconfigured or set up with an improper mode.
Figure 6-1 shows a list of the actions that you can apply to an access control rule. Note the different types of block actions a threat defense supports.
Figure 6-1 Available Actions for an Access Control Rule
A threat defense enables you to choose any interface mode, regardless of the underlying deployment mode—routed or transparent. However, ultimately, the capability of an interface mode defines whether a threat defense is able to block any suspicious traffic it sees.
Table 6-2 lists various threat defense modes and describes their capabilities to block traffic. The deployment mode in this table defines how a threat defense functions as a firewall. The interface mode defines how a threat defense acts on the traffic in case of any suspicious activities.
Table 6-2 Capability to Block Traffic in Various Modes
Deployment Mode | Interface Mode | Able to Block Traffic? |
Routed | Yes | |
Transparent | Yes | |
Inline | Yes | |
Inline-tap | No | |
Passive | No | |
Passive (ERSPAN) | No |
Inline Mode Versus Passive Mode
An intrusion detection and prevention system can detect suspicious activities and prevent network attacks. You can deploy a threat defense either as an intrusion detection system (IDS) or as an intrusion prevention system (IPS). To prevent any potential intrusion attempt in real time, you must deploy a threat defense in inline mode. In inline mode, the ingress and egress interfaces are bundled into an interface pair. Each pair must be associated with an inline set, which is a logical group of one or more interface pairs.
Figure 6-2 illustrates how two interfaces (GigabitEthernet0/0 with GigabitEthernet0/1 and GigabitEthernet0/2 with GigabitEthernet0/3) can build the inline pairs. Note that both of the inline pairs are included in Inline Set 1 in this illustration.
Figure 6-2 Understanding an Inline Interface, Interface Pair, and Inline Set
A threat defense in passive mode, in contrast, detects intrusion attempts but is unable to block them. A switch or tap mirrors all the packets it receives and sends a copy of each packet to the threat defense using port mirroring. Because the original traffic does not go through a threat defense, the threat defense is unable to take any action on a packet. In other words, a threat defense in passive mode cannot stop an intrusion attempt; it can only detect an attempt based on the traffic it sees.
Figure 6-3 provides an example of a typical threat defense deployment. The topology shows two threat defense devices deployed in two different modes—inline (IPS) and passive (IDS).
Figure 6-3 Architectural Difference Between Inline and Passive Deployment Modes