Which of the following statements is not true regarding an IPS device? (Select the best answer.)

A.
An IPS requires that at least one interface be in promiscuous mode.

B.
Singlepacket attacks can be mitigated by an IPS.

C.
Traffic leaves an IPS on a different interface than it entered.

D.
An IPS cannot route to destinations on different subnets.

Explanation:
An Intrusion Prevention System (IPS) does not require that at least one interface be in promiscuous mode. An
IPS sits inline with the flow of traffic, thus actively monitoring network traffic and blocking malicious traffic, such
as an atomic or singlepacket attack, before it spreads onto the network. An IPS requires at least two interfaces
for each monitored network: one interface listens to traffic entering the IPS, and the other listens to traffic
leaving the IPS. In addition, an IPS acts similarly to a Layer 2 bridge in that it can pass traffic through to
destinations on the same subnet? an IPS cannot route to destinations on a different subnet. Because all
monitored traffic must pass through the IPS, it can add latency to traffic flows on the network.
By contrast, an Intrusion Detection System (IDS) typically has one promiscuous network interface attached to
each monitored network, with no IP address assigned to the monitoring interface. An IDS is a network
monitoring device that does not sit inline with the flow of network traffic? an IDS passively monitors a copy of
network traffic, not the actual packet. Since an IDS analyzes a copy of network traffic, an IDS can support
asymmetric traffic flows in which the original traffic may use a different return path than it used to arrive at its
original destination. Because monitored traffic does not pass through an IDS, it does not add latency to the
traffic flow.

CCNA Security 210260 Official Cert Guide, Chapter 17, Difference Between IPS and IDS, pp. 460-462 Cisco:
Cisco IPS Mitigation Capabilities