Explanation/Reference:
Section: Considerations for Expanding an Existing Network Explanation
Explanation:
You cannot deploy an Intrusion Prevention System (IPS) appliance between two Layer 3 devices on different IP subnets. An IPS appliance is a standalone, dedicated device that actively monitors network traffic. An IPS appliance functions similarly to a Layer 2 bridge; a packet entering an interface on the IPS is directed to the appropriate outbound interface without regard to the packet's Layer 3 information. Instead, the IPS uses interface or virtual LAN (VLAN) pairs to determine where to send the packet. This enables an IPS to be inserted into an existing network topology without requiring any disruptive addressing changes.
For example, an IPS could be inserted on the outside of a firewall to examine all traffic that enters or exits an organization, as shown in the following diagram:

Because the IPS in this example is configured to operate in inline mode, it functions similarly to a Layer 2 bridge in that it passes traffic through to destinations on the same subnet. Because all monitored traffic passes through the IPS, it can block malicious traffic, such as an atomic or single-packet attack, before it passes onto the network. However, an inline IPS also adds latency to traffic flows on the network because it must analyze each packet before passing it to its destination.
An IPS can be deployed between two Layer 2 devices on the same VLAN or between two Layer 2 devices on different VLANs if the VLANs are on the same IP subnet. In addition, the interface on each Layer 2 device can be configured as an access port or as a trunk port. A trunk port tags each frame with VLAN information before it transmits the frame? tagging a frame preserves its VLAN membership as the frame passes across the trunk link.
Reference:
CCDA 200-310 Official Cert Guide, Chapter 13, IPS/IDS Fundamentals, pp. 534-535