Cisco Cisco Web Security Appliance S170 ユーザーガイド
D E P L O Y I N G T H E L 4 T R A F F I C M O N I T O R
C H A P T E R 3 : D E P L O Y M E N T
41
D E P L OY I N G T H E L 4 TR A F F I C M O N I T O R
L4 Traffic Monitor (L4TM) deployment is independent of the Web Proxy deployment. When
connecting and deploying the L4 Traffic Monitor, consider the following:
connecting and deploying the L4 Traffic Monitor, consider the following:
• Physical connection. You can choose how to connect the L4 Traffic Monitor to the
network. For more information, see “Connecting the L4 Traffic Monitor” on page 41.
• Network address translation (NAT). When configuring the L4 Traffic Monitor, connect it
at a point in your network where it can see as much network traffic as possible before
getting out of your egress firewall and onto the Internet. It is important that the L4 Traffic
Monitor be ‘logically’ connected after the proxy ports and before any device that performs
network address translation (NAT) on client IP addresses.
getting out of your egress firewall and onto the Internet. It is important that the L4 Traffic
Monitor be ‘logically’ connected after the proxy ports and before any device that performs
network address translation (NAT) on client IP addresses.
• L4 Traffic Monitor action setting. The default setting for the L4 Traffic Monitor is monitor
only. After setup, if you configure the L4 Traffic Monitor to monitor and block suspicious
traffic, ensure that the L4 Traffic Monitor and the Web Proxy are configured on the same
network so that all clients are accessible on routes that are configured for data traffic.
traffic, ensure that the L4 Traffic Monitor and the Web Proxy are configured on the same
network so that all clients are accessible on routes that are configured for data traffic.
Connecting the L4 Traffic Monitor
You can connect the L4 Traffic Monitor to the network in any of the following ways:
• Network tap. When you use a network tap, you can choose the following communication
types:
• Simplex. This communication type uses one cable for all traffic between clients and
the appliance, and one cable for all traffic between the appliance and external
connections. Connect port T1 to the network tap so it receives all outgoing traffic
(from the clients to the Internet), and connect port T2 to the network tap so it receives
all incoming traffic (from the Internet to the clients).
connections. Connect port T1 to the network tap so it receives all outgoing traffic
(from the clients to the Internet), and connect port T2 to the network tap so it receives
all incoming traffic (from the Internet to the clients).
• Duplex. This mode uses one cable for all incoming and outgoing traffic. You can use
half- or full-duplex Ethernet connections. Connect port T1 to the network tap so it
receives all incoming and outgoing traffic.
receives all incoming and outgoing traffic.
Note — IronPort recommends using simplex when possible because it can increase
performance and security.
performance and security.
• Span/mirror port of an L2 switch. Connecting is similar to a simplex or duplex tap,
depending on whether the connection uses two separate devices or one device.
• Hub. Choose duplex when you connect the L4 Traffic Monitor to a hub.
Regardless of how the appliance is connected to the network, you must configure the wiring
type. For more information, see “Configuring an L4 Traffic Monitor Wiring Type” on page 42.
type. For more information, see “Configuring an L4 Traffic Monitor Wiring Type” on page 42.
For more information about the T1 and T2 ports, see “Appliance Interfaces” on page 30.
Note — Use a network tap instead of the span/mirror port of a switch when possible. Network
taps use hardware to move packets to the L4 Traffic Monitor and span and mirror ports of a
taps use hardware to move packets to the L4 Traffic Monitor and span and mirror ports of a