Cisco Cisco Firepower Management Center 4000 Installationsanleitung
2-3
Cisco NGIPS for Blue Coat X-Series Installation and Configuration Guide
Chapter 2 Understanding Deployment
Understanding Redundancy and Load Balancing
Understanding Redundancy and Load Balancing
The X-Series platform allows you to take advantage of its load balancing and redundancy benefits when
you deploy Cisco NGIPS for Blue Coat X-Series in a multi-member VAP group, with each VAP running
its own instance of Cisco NGIPS for Blue Coat X-Series.
you deploy Cisco NGIPS for Blue Coat X-Series in a multi-member VAP group, with each VAP running
its own instance of Cisco NGIPS for Blue Coat X-Series.
Configuring Redundancy
If you want to take advantage of redundancy, deploy identically configured installations of Cisco NGIPS
for Blue Coat X-Series in a multi-member VAP group. Use the Defense Center web interface to
configure each Cisco NGIPS for Blue Coat X-Series identically. For example, to create a three-member
VAP group, you create three VAPs, and configure each Cisco NGIPS for Blue Coat X-Series identically.
for Blue Coat X-Series in a multi-member VAP group. Use the Defense Center web interface to
configure each Cisco NGIPS for Blue Coat X-Series identically. For example, to create a three-member
VAP group, you create three VAPs, and configure each Cisco NGIPS for Blue Coat X-Series identically.
You cannot configure redundancy if the VAPs in your VAP group perform different functions (for
example, one VAP monitors traffic on your internal network, and two VAPs monitor traffic on your
DMZ). Instead, create multiple VAP groups, each with a specific function, to create redundancy on each
VAP group.
example, one VAP monitors traffic on your internal network, and two VAPs monitor traffic on your
DMZ). Instead, create multiple VAP groups, each with a specific function, to create redundancy on each
VAP group.
Configuring Load Balancing
If you want to use two load-balanced Cisco NGIPS for Blue Coat X-Series installations to monitor IPv4
traffic, you create two identical VAPs, configure them to monitor the same Cisco NGIPS for Blue Coat
X-Series sensing interfaces, and apply the same access control policy to each VAP. For more
information, see the XOS Configuration Guide.
traffic, you create two identical VAPs, configure them to monitor the same Cisco NGIPS for Blue Coat
X-Series sensing interfaces, and apply the same access control policy to each VAP. For more
information, see the XOS Configuration Guide.
For all multi-member VAP groups, make sure that you add a flow rule with the
load-balance
action
when you create the VAP group, as described in
.
Additionally, and especially for inline deployments, Cisco and Blue Coat recommend that you reserve
one VAP in the group for failover.
one VAP in the group for failover.
When running on XOS V9.7.x (any operating mode) or on XOS V10.0 configured for Series-6 operating
mode, you cannot load-balance IPv6 traffic across VAPs in a VAP group. IPv6 traffic can be
load-balanced across multiple cores on a master VAP, reducing resource utilization and increasing
throughput. For more information, see the XOS Configuration Guide.
mode, you cannot load-balance IPv6 traffic across VAPs in a VAP group. IPv6 traffic can be
load-balanced across multiple cores on a master VAP, reducing resource utilization and increasing
throughput. For more information, see the XOS Configuration Guide.
When XOS V10.0 or later is configured for Series-9 operating mode and IPv6 is enabled for the VAP
group, XOS supports load-balancing of IPv6 traffic across VAPs in a VAP group. For more information,
see the XOS V10.0 Release Notes.
group, XOS supports load-balancing of IPv6 traffic across VAPs in a VAP group. For more information,
see the XOS V10.0 Release Notes.
Understanding Access Control Policies
An access control policy determines how the FireSIGHT System handles traffic on your network. When
you apply an access control policy, you configure Cisco NGIPS for Blue Coat X-Series to handle traffic
on your network according to the rules specified in the applied access control policy.
you apply an access control policy, you configure Cisco NGIPS for Blue Coat X-Series to handle traffic
on your network according to the rules specified in the applied access control policy.
A simple access control policy can filter traffic based on a variety of criteria, then use the policy’s default
action to handle traffic in a variety of ways, such as:
action to handle traffic in a variety of ways, such as:
•
block all traffic from entering your network
•
trust all traffic to enter your network without further inspection
•
allow all traffic to enter your network, and inspect all traffic according to additional policies
Note that you cannot block traffic based on user or application conditions with the Cisco NGIPS for Blue
Coat X-Series.
Coat X-Series.