1-15
Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.1
OL-24002-01
Chapter 1 Introducing the Sensor
How the Sensor Functions
intended target for certain types of attacks, such as atomic attacks (single-packet attacks). The response
actions implemented by promiscuous sensor devices are post-event responses and often require
assistance from other networking devices, for example, routers and firewalls, to respond to an attack.
While such response actions can prevent some classes of attacks, in atomic attacks the single packet has
the chance of reaching the target system before the promiscuous-based sensor can apply an ACL
modification on a managed device (such as a firewall, switch, or router).
By default, all sensing interfaces are in promiscuous mode. To change an interface from inline interface
mode to promiscuous mode, delete any inline interface that contains that interface and delete any inline
VLAN pair subinterfaces of that interface from the interface configuration.
Figure 1-2 illustrates promiscuous mode:
Figure 1-2 Promiscuous Mode
IPv6, Switches, and Lack of VACL Capture
VACLs on Catalyst switches do not have IPv6 support. The most common method for copying traffic to
a sensor configured in promiscuous mode is to use VACL capture. If you want to have IPv6 support, you
can use SPAN ports.
However, you can only configure up to two monitor sessions on a switch unless you use the following
configuration:
• Monitor session
• Multiple trunks to one or more sensors
• Restrict per trunk port which VLANs are allowed to perform monitoring of many VLANs to more
than two different sensors or virtual sensors within one IPS
The following configuration uses one SPAN session to send all of the traffic on any of the specified
VLANs to all of the specified ports. Each port configuration only allows a particular VLAN or VLANs
to pass. Thus you can send data from different VLANs to different sensors or virtual sensors all with one
SPAN configuration line:
clear trunk 4/1-4 1-4094
set trunk 4/1 on dot1q 930
set trunk 4/2 on dot1q 932
set trunk 4/3 on dot1q 960
set trunk 4/4 on dot1q 962
set span 930, 932, 960, 962 4/1-4 both
Router
Host
Sensor
Switch
Span port sending
copies of VLAN A traffic
253443
VLAN A
Comments to this Manuals