1-13
Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.1
OL-24002-01
Chapter 1 Introducing the Sensor
How the Sensor Functions
–
For Gigabit copper interfaces (1000-TX on the IPS 4240, IPS 4255, IPS 4260, IPS 4270-20,,
IPS 4345, IPS 4360, IPS 4510, and IPS 4520), valid speed settings are 10 Mbps, 100 Mbps,
1000 Mbps, and auto. Valid duplex settings are full, half, and auto.
–
For Gigabit (copper or fiber) interfaces, if the speed is configured for 1000 Mbps, the only valid
duplex setting is auto.
–
The command and control interface cannot also serve as a sensing interface.
• Inline Interface Pairs
–
Inline interface pairs can contain any combination of sensing interfaces regardless of the
physical interface type (copper versus fiber), speed, or duplex settings of the interface.
However, pairing interfaces of different media type, speeds, and duplex settings may not be
fully tested or supported.
–
The command and control interface cannot be a member of an inline interface pair.
–
You cannot pair a physical interface with itself in an inline interface pair.
–
A physical interface can be a member of only one inline interface pair.
–
You can only configure bypass mode and create inline interface pairs on sensor platforms that
support inline mode.
–
A physical interface cannot be a member of an inline interface pair unless the subinterface mode
of the physical interface is none.
• You can configure the ASA IPS modules (ASA 5500 AIP SSM, ASA 5500-X IPS SSP, and
ASA 5585-X IPS SSP) to operate inline even though they have only one sensing interface.
• Inline VLAN Pairs
–
You cannot pair a VLAN with itself.
–
You cannot use the default VLAN as one of the paired VLANs in an inline VLAN pair.
–
For a given sensing interface, a VLAN can be a member of only one inline VLAN pair.
However, a given VLAN can be a member of an inline VLAN pair on more than one sensing
interface.
–
The order in which you specify the VLANs in an inline VLAN pair is not significant.
–
A sensing interface in Inline VLAN Pair mode can have from 1 to 255 inline VLAN pairs.
–
The ASA IPS modules (ASA 5500 AIP SSM ,ASA 5500-X IPS SSP, and
ASA 5585-X IPS SSP) do not support inline VLAN pairs.
–
For the IPS 4510 and IPS 4520, the maximum number of inline VLAN pairs you can create
system wide is 150. On all other platforms, the limit is 255 per interface.
• Alternate TCP Reset Interface
–
You can only assign the alternate TCP reset interface to a sensing interface. You cannot
configure the command and control interface as an alternate TCP reset interface. The alternate
TCP reset interface option is set to none as the default and is protected for all interfaces except
the sensing interfaces.
–
You can assign the same physical interface as an alternate TCP reset interface for multiple
sensing interfaces.
–
A physical interface can serve as both a sensing interface and an alternate TCP reset interface.
–
The command and control interface cannot serve as the alternate TCP reset interface for a
sensing interface.
–
A sensing interface cannot serve as its own alternate TCP reset interface.
Comments to this Manuals