Cisco IPS 7.1 Installation Guide Page 33

  • Download
  • Add to my manuals
  • Print
  • Page
    / 422
  • Table of contents
  • TROUBLESHOOTING
  • BOOKMARKS
  • Rated. / 5. Based on customer reviews
Page view 32
1-17
Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.1
OL-24002-01
Chapter 1 Introducing the Sensor
How the Sensor Functions
Note For the IPS 4510 and IPS 4520, the maximum number of inline VLAN pairs you can create systemwide
is 150. On all other platforms, the limit is 255 per interface.
You can associate VLANs in pairs on a physical interface. This is known as inline VLAN pair mode.
Packets received on one of the paired VLANs are analyzed and then forwarded to the other VLAN in the
pair.
Inline VLAN pair mode is an active sensing mode where a sensing interface acts as an 802.1q trunk port,
and the sensor performs VLAN bridging between pairs of VLANs on the trunk. The sensor inspects the
traffic it receives on each VLAN in each pair, and can either forward the packets on the other VLAN in
the pair, or drop the packet if an intrusion attempt is detected. You can configure an IPS sensor to
simultaneously bridge up to 255 VLAN pairs on each sensing interface. The sensor replaces the
VLAN ID field in the 802.1q header of each received packet with the ID of the egress VLAN on which
the sensor forwards the packet. The sensor drops all packets received on any VLANs that are not
assigned to inline VLAN pairs.
Note You cannot use the default VLAN as one of the paired VLANs in an inline VLAN pair.
Figure 1-4 illustrates inline VLAN pair mode:
Figure 1-4 Inline VLAN Pair Mode
VLAN Group Mode
Note The ASA IPS modules (ASA 5500 AIP SSM, ASA 5500-X IPS SSP, and ASA 5585-X IPS SSP) do not
support VLAN groups mode.
You can divide each physical interface or inline interface into VLAN group subinterfaces, each of which
consists of a group of VLANs on that interface. Analysis Engine supports multiple virtual sensors, each
of which can monitor one or more of these interfaces. This lets you apply multiple policies to the same
sensor. The advantage is that now you can use a sensor with only a few interfaces as if it had many
interfaces.
Note You cannot divide physical interfaces that are in inline VLAN pairs into VLAN groups.
Host
Sensor
Switch
253445
Router
VLAN B
VLAN A
Pairing VLAN A and B
Trunk port carrying
VLAN A and B
Page view 32
1 ... 32 33 34 ... 422

Comments to this Manuals

No comments