1-14
Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.1
OL-24002-01
Chapter 1 Introducing the Sensor
How the Sensor Functions
–
You can only configure interfaces that are capable of TCP resets as alternate TCP reset
interfaces.
–
There is only one sensing interface on the ASA IPS modules (ASA 5500 AIP SSM,
ASA 5500-X IPS SSP, and ASA 5585-X IPS SSP), so you cannot designate an alternate TCP
reset interface.
• VLAN Groups
–
You can configure any single interface for promiscuous, inline interface pair, or inline VLAN
pair mode, but no combination of these modes is allowed.
–
You cannot add a VLAN to more than one group on each interface.
–
You cannot add a VLAN group to multiple virtual sensors.
–
An interface can have no more than 255 user-defined VLAN groups.
–
When you pair a physical interface, you cannot subdivide it; you can subdivide the pair.
–
You can use a VLAN on multiple interfaces; however, you receive a warning for this
configuration.
–
You can assign a virtual sensor to any combination of one or more physical interfaces and inline
VLAN pairs, subdivided or not.
–
You can subdivide both physical and logical interfaces into VLAN groups.
–
The CLI, IDM, and IME prompt you to remove any dangling references. You can leave the
dangling references and continue editing the configuration.
–
The CLI, IDM, and IME do not allow configuration changes in Analysis Engine that conflict
with the interface configuration.
–
The CLI allows configuration changes in the interface configuration that cause conflicts in the
Analysis Engine configuration. The IDM and IME do not allow changes in the interface
configuration that cause conflicts in the Analysis Engine configuration.
–
The ASA IPS modules (ASA 5500 AIP SSM, ASA 5500-X IPS SSP, and
ASA 5585-X IPS SSP) do not support VLAN groups mode.
Interface Modes
The following section describes the interface modes, and contains the following topics:
• Promiscuous Mode, page 1-14
• IPv6, Switches, and Lack of VACL Capture, page 1-15
• Inline Interface Pair Mode, page 1-16
• Inline VLAN Pair Mode, page 1-16
• VLAN Group Mode, page 1-17
• Deploying VLAN Groups, page 1-18
Promiscuous Mode
In promiscuous mode, packets do not flow through the sensor. The sensor analyzes a copy of the
monitored traffic rather than the actual forwarded packet. The advantage of operating in promiscuous
mode is that the sensor does not affect the packet flow with the forwarded traffic. The disadvantage of
operating in promiscuous mode, however, is the sensor cannot stop malicious traffic from reaching its
Comments to this Manuals