Cisco 5510 Getting Started Guide - Page 178
inline, promiscuous, fail-close, fail-open, sensor, show ips, AIP SSM. See
UPC - 882658094767
View all Cisco 5510 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 178 highlights
Configuring the AIP SSM Chapter 13 Configuring the AIP SSM Step 2 Step 3 Step 4 To add or edit a policy map that sets the action to divert traffic to the AIP SSM, enter the following commands: hostname(config)# policy-map name hostname(config-pmap)# class class_map_name hostname(config-pmap-c)# where the class_map_name is the class map from Step 1. For example: hostname(config)# policy-map IPS hostname(config-pmap)# class IPS To divert the traffic to the AIP SSM, enter the following command: hostname(config-pmap-c)# ips {inline | promiscuous} {fail-close | fail-open} [sensor {sensor_name | mapped_name}] where the inline and promiscuous keywords control the operating mode of the AIP SSM. See the "Operating Modes" section on page 13-3 for more details. The fail-close keyword sets the adaptive security appliance to block all traffic if the AIP SSM is unavailable. The fail-open keyword sets the adaptive security appliance to allow all traffic through, uninspected, if the AIP SSM is unavailable. If you use virtual sensors on the AIP SSM, you can specify a sensor name using the sensor sensor_name argument. To see available sensor names, enter the ips ... sensor ? command. Available sensors are listed. You can also use the show ips command. If you use multiple context mode on the adaptive security appliance, you can only specify sensors that you assigned to the context (see the "Assigning Virtual Sensors to Security Contexts" section on page 13-9). Use the mapped_name if configured in the context. If you do not specify a sensor name, then the traffic uses the default sensor. In multiple context mode, you can specify a default sensor for the context. In single mode or if you do not specify a default sensor in multiple mode, the traffic uses the default sensor that is set on the AIP SSM. If you enter a name that does not yet exist on the AIP SSM, you get an error, and the command is rejected. (Optional) To divert another class of traffic to the AIP SSM, and set the IPS policy, enter the following commands: hostname(config-pmap-c)# class class_map_name2 hostname(config-pmap-c)# ips {inline | promiscuous} {fail-close | fail-open} [sensor sensor_name] 13-12 Cisco ASA 5500 Series Getting Started Guide 78-19186-01