Cisco Systems IPS 7.1 Home Security System User Manual


  Open as PDF
of 1042
 
5-26
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 5 Configuring Interfaces
Configuring Inline VLAN Pair Mode
Inline VLAN pair mode is an active sensing mode where a sensing interface acts as an 802.1q trunk port,
and the sensor performs VLAN bridging between pairs of VLANs on the trunk. The sensor inspects the
traffic it receives on each VLAN in each pair, and can either forward the packets on the other VLAN in
the pair, or drop the packet if an intrusion attempt is detected. You can configure an IPS sensor to
simultaneously bridge up to 255 VLAN pairs on each sensing interface. The sensor replaces the
VLAN ID field in the 802.1q header of each received packet with the ID of the egress VLAN on which
the sensor forwards the packet. The sensor drops all packets received on any VLANs that are not
assigned to inline VLAN pairs.
Note You cannot use the default VLAN as one of the paired VLANs in an inline VLAN pair.
Figure 5-3 illustrates inline VLAN pair mode:
Figure 5-3 Inline VLAN Pair Mode
Configuring Inline VLAN Pairs
Use the physical-interfaces interface_name command in the service interface submode to configure
inline VLAN pairs. The interface name is FastEthernet or GigabitEthernet.
The following options apply:
admin-state {enabled | disabled}—Specifies the administrative link state of the interface, whether
the interface is enabled or disabled.
Note On all backplane sensing interfaces on all modules, admin-state is set to enabled and is
protected (you cannot change the setting). The admin-state has no effect (and is protected)
on the command and control interface. It only affects sensing interfaces. The command and
control interface does not need to be enabled because it cannot be monitored.
default—Sets the value back to the system default setting.
description—Specifies the description of the interface.
duplex—Specifies the duplex setting of the interface:
auto—Sets the interface to auto negotiate duplex.
full—Sets the interface to full duplex.
Host
Sensor
Switch
253445
Router
VLAN B
VLAN A
Pairing VLAN A and B
Trunk port carrying
VLAN A and B
 previous next