Cisco Systems IPS4520K9 Network Router User Manual


  Open as PDF
of 460
 
1-12
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1
OL-24002-01
Chapter 1 Introducing the Sensor
How the Sensor Functions
Designating the Alternate TCP Reset Interface
Note
There is only one sensing interface on the ASA IPS modules (ASA 5500 AIP SSM,
ASA 5500-X IPS SSP, and ASA 5585-X IPS SSP), so you cannot designate an alternate TCP reset
interface.
You need to designate an alternate TCP reset interface in the following situations:
When a switch is being monitored with either SPAN or VACL capture and the switch does not accept
incoming packets on the SPAN or VACL capture port.
When a switch is being monitored with either SPAN or VACL capture for multiple VLANs, and the
switch does not accept incoming packets with 802.1q headers. The TCP resets need 802.1q headers
to tell which VLAN the resets should be sent on.
When a network tap is used for monitoring a connection. Taps do not permit incoming traffic from
the sensor.
Caution
You can only assign a sensing interface as an alternate TCP reset interface. You cannot configure the
management interface as an alternate TCP reset interface.
Interface Restrictions
The following restrictions apply to configuring interfaces on the sensor:
Physical Interfaces
In IPS 7.1, rx/tx flow control is disabled on the IPS 4200 series sensors. This is a change from
IPS 7.0 where rx/tx flow control is enabled by default.
On the ASA IPS modules (ASA 5500 AIP SSM, ASA 5500-X IPS SSP, and
ASA 5585-X IPS SSP) all backplane interfaces have fixed speed, duplex, and state settings.
These settings are protected in the default configuration on all backplane interfaces.
For nonbackplane FastEthernet interfaces the valid speed settings are 10 Mbps, 100 Mbps, and
auto. Valid duplex settings are full, half, and auto.
IPS 4240 Any sensing interface
IPS 4255 Any sensing interface
IPS 4260 Any sensing interface
IPS 4270-20 Any sensing interface
IPS 4345 Any sensing interface
IPS 4360 Any sensing interface
IPS 4510 Any sensing interface
IPS 4520 Any sensing interface
Table 1-3 Alternate TCP Reset Interfaces (continued)
Sensor Alternate TCP Reset Interface
 previous next