1-18
Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.1
OL-24002-01
Chapter 1 Introducing the Sensor
Supported Sensors
VLAN group subinterfaces associate a set of VLANs with a physical or inline interface. No VLAN can
be a member of more than one VLAN group subinterface. Each VLAN group subinterface is identified
by a number between 1 and 255. Subinterface 0 is a reserved subinterface number used to represent the
entire unvirtualized physical or logical interface. You cannot create, delete, or modify subinterface 0 and
no statistics are reported for it.
An unassigned VLAN group is maintained that contains all VLANs that are not specifically assigned to
another VLAN group. You cannot directly specify the VLANs that are in the unassigned group. When a
VLAN is added to or deleted from another VLAN group subinterface, the unassigned group is updated.
Packets in the native VLAN of an 802.1q trunk do not normally have 802.1q encapsulation headers to
identify the VLAN number to which the packets belong. A default VLAN variable is associated with
each physical interface and you should set this variable to the VLAN number of the native VLAN or to 0.
The value 0 indicates that the native VLAN is either unknown or you do not care if it is specified. If the
default VLAN setting is 0, the following occurs:
• Any alerts triggered by packets without 802.1q encapsulation have a VLAN value of 0 reported in
the alert.
• Non-802.1q encapsulated traffic is associated with the unassigned VLAN group and it is not
possible to assign the native VLAN to any other VLAN group.
Note You can configure a port on a switch as either an access port or a trunk port. On an access port, all traffic
is in a single VLAN is called the access VLAN. On a trunk port, multiple VLANs can be carried over
the port, and each packet has a special header attached called the 802.1q header that contains the VLAN
ID. This header is commonly referred as the VLAN tag. However, a trunk port has a special VLAN called
the native VLAN. Packets in the native VLAN do not have the 802.1q headers attached.
Deploying VLAN Groups
Because a VLAN group of an inline pair does not translate the VLAN ID, an inline paired interface must
exist between two switches to use VLAN groups on a logical interface. For an appliance, you can connect
the two pairs to the same switch, make them access ports, and then set the access VLANs for the two
ports differently. In this configuration, the sensor connects between two VLANs, because each of the
two ports is in access mode and carries only one VLAN. In this case the two ports must be in different
VLANs, and the sensor bridges the two VLANs, monitoring any traffic that flows between the two
VLANs.
You can also connect appliances between two switches. There are two variations. In the first variation,
the two ports are configured as access ports, so they carry a single VLAN. In this way, the sensor bridges
a single VLAN between the two switches.
In the second variation, the two ports are configured as trunk ports, so they can carry multiple VLANs.
In this configuration, the sensor bridges multiple VLANs between the two switches. Because multiple
VLANs are carried over the inline interface pair, the VLANs can be divided into groups and each group
can be assigned to a virtual sensor.
Supported Sensors
Caution Installing the most recent software on unsupported sensors may yield unpredictable results. We do not
support software installed on unsupported platforms.
Comments to this Manuals