Filter
Top Products
5-2
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 5 Configuring Interfaces
Understanding Interfaces
• You configure the ASA IPS modules (ASA 5500 AIP SSM, ASA 5500-X IPS SSP
ASA 5585-X IPS SSP) for promiscuous mode from the adaptive security appliance CLI and not
from the Cisco IPS CLI.
• You can configure the ASA IPS modules (ASA 5500 AIP SSM, ASA 5500-X IPS SSP, and
ASA 5585-X IPS SSP) to operate inline even though they have only one sensing interface.
• The ASA IPS modules (ASA 5500 AIP SSM, ASA 5500-X IPS SSP, and ASA 5585-X IPS SSP) do
not support inline VLAN pairs.
• The ASA IPS modules (ASA 5500 AIP SSM, ASA 5500-X IPS SSP, and ASA 5585-X IPS SSP) do
not support VLAN groups mode.
• There are security consequences when you put the sensor in bypass mode. When bypass mode is on,
the traffic bypasses the sensor and is not inspected; therefore, the sensor cannot prevent malicious
attacks.
• As with signature updates, when the sensor applies a global correlation update, it may trigger
bypass. Whether or not bypass is triggered depends on the traffic load of the sensor and the size of
the signature/global correlation update. If bypass mode is turned off, an inline sensor stops passing
traffic while the update is being applied.
• The ASA 5500-X IPS SSP and ASA 5585-X IPS SSP do not support bypass mode. The adaptive
security appliance will either fail open, fail close, or fail over depending on the configuration of the
adaptive security appliance and the type of activity being done on the IPS.
• The show interface command output for the IPS 4510 and IPS 4520 does not include the total
undersize packets or total transmit FIFO overruns.
• When the IPS 4510 and IPS 4520 are configured in VLAN pairs, the packet display command does
not work without the VLAN option if the expression keyword is also used.
• For the IPS 4510 and IPS 4520, the maximum number of inline VLAN pairs you can create system
wide is 150. On all other platforms, the limit is 255 per interface.
• On the IPS 4510 and IPS 4520, no interface-related configurations are allowed when the SensorApp
is down.
• For IPS standalone appliances with 1 G and 10 G fixed or add-on interfaces, the maximum jumbo
frame size is 9216 bytes. For integrated IPS sensors, such as the ASA 5500-X and ASA 5585-X
series, refer to the following URL for information:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html#wp
1328869
Note A jumbo frame is an Ethernet packet that is larger than the standard maximum of 1518 bytes
(including Layer 2 header and FCS).
Understanding Interfaces
This section describes the IPS interfaces and modes, and contains the following topics:
• IPS Interfaces, page 5-3
• Command and Control Interface, page 5-3
• Sensing Interfaces, page 5-4
• TCP Reset Interfaces, page 5-5