Support User Manuals

Cisco Systems IPS4520K9 Network Router User Manual

Open as PDF

of 460

1-14

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

OL-24002-01

Chapter 1 Introducing the Sensor

How the Sensor Functions

–

The command and control interface cannot serve as the alternate TCP reset interface for a

sensing interface.

–

A sensing interface cannot serve as its own alternate TCP reset interface.

–

You can only configure interfaces that are capable of TCP resets as alternate TCP reset

interfaces.

Note

There is only one sensing interface on the ASA IPS modules (ASA 5500 AIP SSM,

ASA 5500-X IPS SSP, and ASA 5585-X IPS SSP), so you cannot designate an

alternate TCP reset interface.

•

VLAN Groups

–

You can configure any single interface for promiscuous, inline interface pair, or inline VLAN

pair mode, but no combination of these modes is allowed.

–

You cannot add a VLAN to more than one group on each interface.

–

You cannot add a VLAN group to multiple virtual sensors.

–

An interface can have no more than 255 user-defined VLAN groups.

–

When you pair a physical interface, you cannot subdivide it; you can subdivide the pair.

–

You can use a VLAN on multiple interfaces; however, you receive a warning for this

configuration.

–

You can assign a virtual sensor to any combination of one or more physical interfaces and inline

VLAN pairs, subdivided or not.

–

You can subdivide both physical and logical interfaces into VLAN groups.

–

The CLI, IDM, and IME prompt you to remove any dangling references. You can leave the

dangling references and continue editing the configuration.

–

The CLI, IDM, and IME do not allow configuration changes in Analysis Engine that conflict

with the interface configuration.

–

The CLI allows configuration changes in the interface configuration that cause conflicts in the

Analysis Engine configuration. The IDM and IME do not allow changes in the interface

configuration that cause conflicts in the Analysis Engine configuration.

Note

The ASA IPS modules (ASA 5500 AIP SSM, ASA 5500-X IPS SSP, and

ASA 5585-X IPS SSP) do not support VLAN groups mode.

Interface Modes

The following section describes the interface modes, and contains the following topics:

•

Promiscuous Mode, page 1-15

•

IPv6, Switches, and Lack of VACL Capture, page 1-15

•

Inline Interface Pair Mode, page 1-16

•

Inline VLAN Pair Mode, page 1-17

previous next