Filter
Top Products
5-13
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 5 Configuring Interfaces
Understanding Interfaces
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html#wp1328
869
Note A jumbo frame is an Ethernet packet that is larger than the standard maximum of 1518 bytes (including
Layer 2 header and FCS).
The following restrictions apply to configuring interfaces on the sensor:
• Physical Interfaces
–
In IPS 7.1, rx/tx flow control is disabled on the IPS 4200 series sensors. This is a change from
IPS 7.0 where rx/tx flow control is enabled by default.
–
On the ASA IPS modules (ASA 5500 AIP SSM, ASA 5500-X IPS SSP, and
ASA 5585-X IPS SSP) all backplane interfaces have fixed speed, duplex, and state settings.
These settings are protected in the default configuration on all backplane interfaces.
–
For nonbackplane FastEthernet interfaces the valid speed settings are 10 Mbps, 100 Mbps, and
auto. Valid duplex settings are full, half, and auto.
–
For Gigabit copper interfaces (1000-TX on the IPS 4240, IPS 4255, IPS 4260, IPS 4270-20,
IPS 4345, IPS 4360, IPS 4510, and IPS 4520), valid speed settings are 10 Mbps, 100 Mbps,
1000 Mbps, and auto. Valid duplex settings are full, half, and auto.
–
For Gigabit (copper or fiber) interfaces, if the speed is configured for 1000 Mbps, the only valid
duplex setting is auto.
–
The command and control interface cannot also serve as a sensing interface.
• Inline Interface Pairs
–
Inline interface pairs can contain any combination of sensing interfaces regardless of the
physical interface type (copper versus fiber), speed, or duplex settings of the interface.
However, pairing interfaces of different media type, speeds, and duplex settings may not be
fully tested or supported.
–
The command and control interface cannot be a member of an inline interface pair.
–
You cannot pair a physical interface with itself in an inline interface pair.
–
A physical interface can be a member of only one inline interface pair.
–
You can only configure bypass mode and create inline interface pairs on sensor platforms that
support inline mode.
–
A physical interface cannot be a member of an inline interface pair unless the subinterface mode
of the physical interface is none.
–
You can configure the ASA IPS modules (ASA 5500 AIP SSM, ASA 5500-X IPS SSP, and
ASA 5585-X IPS SSP) to operate inline even though they have only one sensing interface.
• Inline VLAN Pairs
–
You cannot pair a VLAN with itself.
–
You cannot use the default VLAN as one of the paired VLANs in an inline VLAN pair.
–
For a given sensing interface, a VLAN can be a member of only one inline VLAN pair.
However, a given VLAN can be a member of an inline VLAN pair on more than one sensing
interface.
–
The order in which you specify the VLANs in an inline VLAN pair is not significant.
–
A sensing interface in Inline VLAN Pair mode can have from 1 to 255 inline VLAN pairs.