Filter
Top Products
5-14
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 5 Configuring Interfaces
Understanding Interfaces
–
The ASA IPS modules (ASA 5500 AIP SSM, ASA 5500-X IPS SSP, and
ASA 5585-X IPS SSP) do not support inline VLAN pairs.
–
For the IPS 4510 and IPS 4520, the maximum number of inline VLAN pairs you can create
system wide is 150. On all other platforms, the limit is 255 per interface.
• Alternate TCP Reset Interface
–
You can only assign the alternate TCP reset interface to a sensing interface. You cannot
configure the command and control interface as an alternate TCP reset interface. The alternate
TCP reset interface option is set to none as the default and is protected for all interfaces except
the sensing interfaces.
–
You can assign the same physical interface as an alternate TCP reset interface for multiple
sensing interfaces.
–
A physical interface can serve as both a sensing interface and an alternate TCP reset interface.
–
The command and control interface cannot serve as the alternate TCP reset interface for a
sensing interface.
–
A sensing interface cannot serve as its own alternate TCP reset interface.
–
You can only configure interfaces that are capable of TCP resets as alternate TCP reset
interfaces.
–
There is only one sensing interface on the ASA IPS modules (ASA 5500 AIP SSM,
ASA 5500-X IPS SSP, and ASA 5585-X IPS SSP), so you cannot designate an alternate TCP
reset interface.
• VLAN Groups
–
You can configure any single interface for promiscuous, inline interface pair, or inline VLAN
pair mode, but no combination of these modes is allowed.
–
You cannot add a VLAN to more than one group on each interface.
–
You cannot add a VLAN group to multiple virtual sensors.
–
An interface can have no more than 255 user-defined VLAN groups.
–
When you pair a physical interface, you cannot subdivide it; you can subdivide the pair.
–
You can use a VLAN on multiple interfaces; however, you receive a warning for this
configuration.
–
You can assign a virtual sensor to any combination of one or more physical interfaces and inline
VLAN pairs, subdivided or not.
–
You can subdivide both physical and logical interfaces into VLAN groups.
–
The CLI, IDM, and IME prompt you to remove any dangling references. You can leave the
dangling references and continue editing the configuration.
–
The CLI, IDM, and IME do not allow configuration changes in Analysis Engine that conflict
with the interface configuration.
–
The CLI allows configuration changes in the interface configuration that cause conflicts in the
Analysis Engine configuration. The IDM and IME do not allow changes in the interface
configuration that cause conflicts in the Analysis Engine configuration.
–
The ASA IPS modules (ASA 5500 AIP SSM, ASA 5500-X IPS SSP, and
ASA 5585-X IPS SSP) do not support VLAN groups mode.