Explanation/Reference:
Section: Considerations for Expanding an Existing Network Explanation
Explanation:
When Cisco Intrusion Prevention System (IPS) is configured in inline mode, IPS can directly block all communication from an attacking host. In addition, an IPS in inline mode does not require that Remote Switched Port Analyzer (RSPAN) be enabled on switch ports.
Inline mode enables IPS to examine traffic as it flows through the IPS device. Therefore, any traffic that should be analyzed by IPS must be to a destination that is separated from the source by the IPS device.
By contrast, promiscuous mode enables IPS to examine traffic on ports from multiple network segments without being directly connected to those segments. Promiscuous mode, which is also referred to as monitor-only operation, enables an IPS to passively examine network traffic without impacting the original flow of traffic. This passive connection enables the IPS to have the most visibility into the networks on the switch to which it is connected. However, promiscuous mode operation increases latency and increases the risk of successful attacks.
IPS can use all of the following actions to mitigate a network attack in inline mode:
Deny attacker inline: directly blocks all communication from the attacking host

Deny attacker service pair inline: directly blocks communication between the attacker and a specific

port
Deny attacker victim pair inline: directly blocks communication that occurs on any port between the

attacker and a specific host
Deny connection inline: directly blocks communication for a specific Transmission Control Protocol

(TCP)session
Deny packet inline: directly blocks the transmission of a specific type of packet from an attacking host

Modify packet inline: allows IPS to change or remove the malicious contents of a packet

IPS in promiscuous mode, not inline mode, requires RSPAN. RSPAN enables the monitoring of traffic on a network by capturing and sending traffic from a source port on one device to a destination port on a different device on a non-routed network. Because copies of traffic from the RSPAN port are forwarded to a monitor-only IPS for analysis instead of flowing through IPS directly, the amount of time IPS takes to determine whether a network attack is in progress can be greater in promiscuous mode than when IPS is operating in inline mode. The increased response latency means that an attack has a greater chance at success prior to detection.
IPS in promiscuous mode, not inline mode, can reset TCP connections. Promiscuous mode supports three actions to mitigate attacks: Request block host, Request block connection, and Reset TCP connection.
The Request block host action causes IPS to send a request to the Attack Response Controller (ARC) to block all communication from the attacking host for a given period of time. The Request block connection action causes IPS to send a request to the ARC to block the specific connection from the attacking host for a given period of time. The Reset TCP connection action clears TCP resources so that normal TCP network activity can be established. However, resetting TCP connections is effective only for TCP-based attacks and against only some types of those attacks.
Reference:
CCDA 200-310 Official Cert Guide, Chapter 13, IPS/IDS Fundamentals, pp. 534-535 Cisco: Cisco IPS Mitigation Capabilities: Inline Mode Event Actions