Home » Cisco Manuals » Networking » Cisco IPS-4255-K9 » Manual Viewer

Cisco IPS-4255-K9 Installation Guide - Page 34

Deploying VLAN Groups

UPC - 746320951096

Add to My Manuals
Save this manual to your list of manuals

Page 34 highlights

How the Sensor Functions Chapter 1 Introducing the Sensor Subinterface 0 is a reserved subinterface number used to represent the entire unvirtualized physical or logical interface. You cannot create, delete, or modify subinterface 0 and no statistics are reported for it. An unassigned VLAN group is maintained that contains all VLANs that are not specifically assigned to another VLAN group. You cannot directly specify the VLANs that are in the unassigned group. When a VLAN is added to or deleted from another VLAN group subinterface, the unassigned group is updated. Packets in the native VLAN of an 802.1q trunk do not normally have 802.1q encapsulation headers to identify the VLAN number to which the packets belong. A default VLAN variable is associated with each physical interface and you should set this variable to the VLAN number of the native VLAN or to 0. The value 0 indicates that the native VLAN is either unknown or you do not care if it is specified. If the default VLAN setting is 0, the following occurs: • Any alerts triggered by packets without 802.1q encapsulation have a VLAN value of 0 reported in the alert. • Non-802.1q encapsulated traffic is associated with the unassigned VLAN group and it is not possible to assign the native VLAN to any other VLAN group. Note You can configure a port on a switch as either an access port or a trunk port. On an access port, all traffic is in a single VLAN is called the access VLAN. On a trunk port, multiple VLANs can be carried over the port, and each packet has a special header attached called the 802.1q header that contains the VLAN ID. This header is commonly referred as the VLAN tag. However, a trunk port has a special VLAN called the native VLAN. Packets in the native VLAN do not have the 802.1q headers attached. The IDSM2 can read the 802.1q headers for all nonnative traffic to determine the VLAN ID for that packet. However, the IDSM2 does not know which VLAN is configured as the native VLAN for the port in the switch configuration, so it does not know what VLAN the native packets are in. Therefore, you must tell the IDSM2 which VLAN is the native VLAN for that port. Then the IDSM2 treats any untagged packets as if they were tagged with the native VLAN ID. For More Information For a list of restrictions pertaining to IPS sensor interfaces, see Interface Restrictions, page 1-10. Deploying VLAN Groups Because a VLAN group of an inline pair does not translate the VLAN ID, an inline paired interface must exist between two switches to use VLAN groups on a logical interface. For an appliance, you can connect the two pairs to the same switch, make them access ports, and then set the access VLANs for the two ports differently. In this configuration, the sensor connects between two VLANs, because each of the two ports is in access mode and carries only one VLAN. In this case the two ports must be in different VLANs, and the sensor bridges the two VLANs, monitoring any traffic that flows between the two VLANs. The IDSM2 also operates in this manner, because its two data ports are always connected to the same switch. You can also connect appliances between two switches. There are two variations. In the first variation, the two ports are configured as access ports, so they carry a single VLAN. In this way, the sensor bridges a single VLAN between the two switches. In the second variation, the two ports are configured as trunk ports, so they can carry multiple VLANs. In this configuration, the sensor bridges multiple VLANs between the two switches. Because multiple VLANs are carried over the inline interface pair, the VLANs can be divided into groups and each group can be assigned to a virtual sensor. The second variation does not apply to the IDSM2 because it cannot be connected in this way. 1-16 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01

Section	Page
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0	1
Preface	13
Contents	13
Audience	13
Comply with Local and National Electrical Codes	13
Organization	15
Conventions	15
Related Documentation	16
Obtaining Documentation and Submitting a Service Request	17
Introducing the Sensor	19
How the Sensor Functions	19
Capturing Network Traffic	19
Your Network Topology	21
Correctly Deploying the Sensor	21
Tuning the IPS	21
Sensor Interfaces	22
Understanding Sensor Interfaces	22
Command and Control Interface	23
Sensing Interfaces	24
Interface Support	24
TCP Reset Interfaces	27
Interface Restrictions	28
Interface Modes	30
Promiscuous Mode	30
IPv6, Switches, and Lack of VACL Capture	31
Inline Interface Pair Mode	32
Inline VLAN Pair Mode	33
VLAN Group Mode	33
Deploying VLAN Groups	34
Supported Sensors	35
IPS Appliances	36
Introducing the IPS Appliance	36
Appliance Restrictions	37
Connecting an Appliance to a Terminal Server	37
IPS Modules	38
Introducing the AIM IPS	38
Introducing the AIP SSM	40
Introducing the IDSM2	42
Introducing the NME IPS	43
Time Sources and the Sensor	44
The Sensor and Time Sources	44
Synchronizing IPS Module System Clocks with the Parent Device System Clock	46
Verifying the Sensor is Synchronized with the NTP Server	46
Correcting the Time on the Sensor	47
Installation Preparation	47
Site and Safety Guidelines	48
Site Guidelines	48
Rack Configuration Guidelines	48
Electrical Safety Guidelines	49
Power Supply Guidelines	50
Working in an ESD Environment	50
Cable Pinouts	51
10/100BaseT and 10/100/1000BaseT Connectors	52
Console Port (RJ-45)	53
RJ-45 to DB-9 or DB-25	54
Installing the IPS 4240 and the IPS 4255	55
Introducing the IPS 4240 and the IPS 4255	55
Front and Back Panel Features	56
Specifications	58
Connecting the IPS 4240 to a Cisco 7200 Series Router	59
Accessories	59
Important Safety Instructions	59
Rack Mounting	60
Installing the IPS 4240 and the IPS 4255	61
Installing the IPS 4240-DC	64
Installing the IPS 4260	69
Introducing the IPS 4260	69
Supported Interface Cards	70
Hardware Bypass	72
4GE Bypass Interface Card	72
Hardware Bypass Configuration Restrictions	73
Hardware Bypass and Link Changes and Drops	74
Front and Back Panel Features	74
Specifications	77
Accessories	77
Important Safety Instructions	78
Rack Mounting	78
Installing the IPS 4260 in a 4-Post Rack	78
Installing the IPS 4260 in a 2-Post Rack	81
Installing the IPS 4260	83
Removing and Replacing the Chassis Cover	86
Installing and Removing Interface Cards	88
Installing and Removing the Power Supply	90
Installing the IPS 4270-20	93
Introducing the IPS 4270-20	94
Supported Interface Cards	95
Hardware Bypass	97
4GE Bypass Interface Card	97
Hardware Bypass Configuration Restrictions	98
Hardware Bypass and Link Changes and Drops	99
Front and Back Panel Features	99
Diagnostic Panel	103
Internal Components	105
Specifications	106
Accessories	107
Installing the Rail System Kit	107
Understanding the Rail System Kit	107
Rail System Kit Contents	108
Space and Airflow Requirements	108
Installing the IPS 4270-20 in the Rack	109
Extending the IPS 4270-20 from the Rack	117
Installing the Cable Management Arm	120
Converting the Cable Management Arm	123
Installing the IPS 4270-20	127
Removing and Replacing the Chassis Cover	130
Accessing the Diagnostic Panel	133
Installing and Removing Interface Cards	133
Installing and Removing the Power Supply	136
Installing and Removing Fans	141
Troubleshooting Loose Connections	143
Installing the AIM IPS	145
Specifications	145
Before Installing the AIM IPS	146
Software and Hardware Requirements	146
Interoperability With Other IPS Modules	147
Restrictions	147
Hardware Interfaces	148
Installation and Removal Instructions	149
Verifying Installation	150
Installing the AIP SSM	151
Specifications	151
Memory Specifications	152
Hardware and Software Requirements	152
Indicators	152
Installation and Removal Instructions	153
Installing the AIP SSM	153
Verifying the Status of the AIP SSM	154
Removing the AIP SSM	155
Installing the IDSM2	157
Specifications	157
Software and Hardware Requirements	158
Minimum Supported the IDSM2 Configurations	158
Using the TCP Reset Interface	159
Front Panel Features	159
Installation and Removal Instructions	160
Required Tools	160
Slot Assignments	161
Installing the IDSM2	161
Verifying Installation	165
Removing the IDSM2	166
Enabling Full Memory Tests	168
Catalyst Software	168
Cisco IOS Software	169
Resetting the IDSM2	169
Catalyst Software	169
Cisco IOS Software	170
Powering the IDSM2 Up and Down	171
Catalyst Software	171
Cisco IOS Software	172
Installing the NME IPS	173
Specifications	173
Before Installing the NME IPS	174
Software and Hardware Requirements	174
Interoperability With Other IPS Modules	175
Restrictions	175
Hardware Interfaces	176
Installation and Removal Instructions	177
Verifying Installation	178
Logging In to the Sensor	179
Supported User Roles	179
Logging In to the Appliance	180
Connecting an Appliance to a Terminal Server	181
Logging In to the AIM IPS	182
The AIM IPS and the session Command	182
Sessioning In to the AIM IPS	183
Logging In to AIP SSM	184
Logging In to the IDSM2	186
Logging In to the NME IPS	187
The NME IPS and the session Command	187
Sessioning In to the NME IPS	188
Logging In to the Sensor	189
Initializing the Sensor	191
Understanding Initialization	191
Simplified Setup Mode	191
System Configuration Dialog	192
Basic Sensor Setup	194
Advanced Setup	197
Advanced Setup for the Appliance	198
Advanced Setup for the AIM IPS	203
Advanced Setup for the AIP SSM	206
Advanced Setup for the IDSM2	210
Advanced Setup for the NME IPS	215
Verifying Initialization	218
Obtaining Software	221
Obtaining Cisco IPS Software	221
IPS Software Versioning	222
Software Release Examples	226
Upgrading Cisco IPS Software to 7.0	227
Accessing IPS Documentation	229
Cisco Security Intelligence Operations	229
Obtaining a License Key From Cisco.com	230
Understanding Licensing	230
Service Programs for IPS Products	231
Obtaining and Installing the License Key Using IDM or IME	231
Obtaining and Installing the License Key Using the CLI	233
Upgrading, Downgrading, and Installing System Images	237
Upgrades, Downgrades, and System Images	237
Supported FTP and HTTP/HTTPS Servers	238
Upgrading the Sensor	238
IPS 7.0 Upgrade Files	238
upgrade Command and Options	239
Using the upgrade Command	240
Upgrading the Recovery Partition	241
Configuring Automatic Upgrades	242
Automatic Upgrades	242
auto-upgrade Command and Options	243
Using the auto-upgrade Command	244
Automatic Upgrade Examples	246
Downgrading the Sensor	247
Recovering the Application Partition	248
Application Partition	248
Using the recover Command	248
Installing System Images	249
Understanding ROMMON	250
Supported TFTP Servers	250
Connecting an Appliance to a Terminal Server	250
Installing the IPS 4240 and IPS 4255 System Images	251
Installing the IPS 4260 System Image	254
Installing the IPS 4270-20 System Image	256
Installing the AIM IPS System Image	259
Installing the AIP SSM System Image	261
Reimaging the AIP SSM	262
Reimaging the AIP SSM Using the recover configure/boot Command	262
Installing the IDSM2 System Image	264
Understanding the IDSM2 System Image	264
Installing the IDSM2 System Image for Catalyst Software	264
Installing the IDSM2 System Image for Cisco IOS Software	265
Configuring the IDSM2 Maintenance Partition for Catalyst Software	267
Configuring the IDSM2 Maintenance Partition for Cisco IOS Software	271
Upgrading the IDSM2 Maintenance Partition for Catalyst Software	274
Upgrading the IDSM2 Maintenance Partition for Cisco IOS Software	275
Installing the NME IPS System Image	276
Troubleshooting	279
Bug Toolkit	279
Preventive Maintenance	280
Understanding Preventive Maintenance	280
Creating and Using a Backup Configuration File	281
Backing Up and Restoring the Configuration File Using a Remote Server	281
Creating the Service Account	283
Disaster Recovery	284
Recovering the Password	285
Understanding Password Recovery	286
Recovering the Appliance Password	286
Using the GRUB Menu	286
Using ROMMON	287
Recovering the AIM IPS Password	288
Recovering the AIP SSM Password	288
Recovering the IDSM2 Password	291
Recovering the NME IPS Password	291
Disabling Password Recovery	292
Verifying the State of Password Recovery	293
Troubleshooting Password Recovery	293
Time and the Sensor	294
Time Sources and the Sensor	294
Synchronizing IPS Module Clocks with Parent Device Clocks	295
Verifying the Sensor is Synchronized with the NTP Server	295
Correcting Time on the Sensor	296
Advantages and Restrictions of Virtualization	296
Supported MIBs	297
When to Disable Anomaly Detection	298
Troubleshooting Global Correlation	298
Analysis Engine Not Responding	299
Troubleshooting External Product Interfaces	300
External Product Interfaces Issues	300
External Product Interfaces Troubleshooting Tips	301
Troubleshooting the Appliance	301
Hardware Bypass and Link Changes and Drops	302
Troubleshooting Loose Connections	302
Analysis Engine is Busy	303
Connecting the IPS 4240 to a Cisco 7200 Series Router	303
Communication Problems	304
Cannot Access the Sensor CLI Through Telnet or SSH	304
Correcting a Misconfigured Access List	306
Duplicate IP Address Shuts Interface Down	307
SensorApp and Alerting	308
SensorApp Not Running	308
Physical Connectivity, SPAN, or VACL Port Issue	310
Unable to See Alerts	311
Sensor Not Seeing Packets	313
Cleaning Up a Corrupted SensorApp Configuration	315
Blocking	315
Troubleshooting Blocking	316
Verifying ARC is Running	316
Verifying ARC Connections are Active	317
Device Access Issues	319
Verifying the Interfaces and Directions on the Network Device	321
Enabling SSH Connections to the Network Device	321
Blocking Not Occurring for a Signature	322
Verifying the Master Blocking Sensor Configuration	323
Logging	324
Understanding Debug Logging	324
Enabling Debug Logging	325
Zone Names	328
Directing cidLog Messages to SysLog	329
TCP Reset Not Occurring for a Signature	330
Software Upgrades	331
Upgrading and Analysis Engine	332
Which Updates to Apply and Their Prerequisites	332
Issues With Automatic Update	333
Updating a Sensor with the Update Stored on the Sensor	333
Troubleshooting IDM	334
Cannot Launch IDM - Loading Java Applet Failed	334
Cannot Launch IDM-Analysis Engine Busy	335
IDM, Remote Manager, or Sensing Interfaces Cannot Access Sensor	335
Signatures Not Producing Alerts	336
Troubleshooting IME	337
Time Synchronization on IME and the Sensor	337
Not Supported Error Message	337
Troubleshooting the IDSM2	337
Diagnosing IDSM2 Problems	338
Minimum Supported IDSM2 Configurations	339
Switch Commands for Troubleshooting	339
Status LED Off	340
Status LED On But the IDSM2 Does Not Come Online	341
Cannot Communicate With the IDSM2 Command and Control Port	342
Using the TCP Reset Interface	344
Connecting a Serial Cable to the IDSM2	344
Troubleshooting the AIP SSM	344
Health and Status Information	345
The AIP SSM and the Data Plane	347
AIM SSP and the Normalizer Engine	347
Troubleshooting the AIM IPS and the NME IPS	347
Interoperability With Other IPS Network Modules	347
Gathering Information	348
Health and Network Security Information	348
Tech Support Information	349
Understanding the show tech-support Command	349
Displaying Tech Support Information	349
Tech Support Command Output	350
Version Information	352
Understanding the show version Command	352
Displaying Version Information	352
Statistics Information	354
Understanding the show statistics Command	355
Displaying Statistics	355
Interfaces Information	365
Understanding the show interfaces Command	365
Interfaces Command Output	365
Events Information	366
Sensor Events	366
Understanding the show events Command	367
Displaying Events	367
Clearing Events	370
cidDump Script	370
Uploading and Accessing Files on the Cisco FTP Site	371
Glossary	373

Match case Limit results 1 per page

1-16

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0

OL-18504-01

Chapter 1

Introducing the Sensor

How the Sensor Functions

Subinterface 0 is a reserved subinterface number used to represent the entire unvirtualized physical or

logical interface. You cannot create, delete, or modify subinterface 0 and no statistics are reported for it.

An unassigned VLAN group is maintained that contains all VLANs that are not specifically assigned to

another VLAN group. You cannot directly specify the VLANs that are in the unassigned group. When a

VLAN is added to or deleted from another VLAN group subinterface, the unassigned group is updated.

Packets in the native VLAN of an 802.1q trunk do not normally have 802.1q encapsulation headers to

identify the VLAN number to which the packets belong. A default VLAN variable is associated with

each physical interface and you should set this variable to the VLAN number of the native VLAN or to

The value 0 indicates that the native VLAN is either unknown or you do not care if it is specified. If the

default VLAN setting is 0, the following occurs:

•

Any alerts triggered by packets without 802.1q encapsulation have a VLAN value of 0 reported in

the alert.

•

Non-802.1q encapsulated traffic is associated with the unassigned VLAN group and it is not

possible to assign the native VLAN to any other VLAN group.

Note

You can configure a port on a switch as either an access port or a trunk port. On an access port, all traffic

is in a single VLAN is called the access VLAN. On a trunk port, multiple VLANs can be carried over

the port, and each packet has a special header attached called the 802.1q header that contains the VLAN

ID. This header is commonly referred as the VLAN tag. However, a trunk port has a special VLAN called

the native VLAN. Packets in the native VLAN do not have the 802.1q headers attached. The IDSM2 can

read the 802.1q headers for all nonnative traffic to determine the VLAN ID for that packet. However, the

IDSM2 does not know which VLAN is configured as the native VLAN for the port in the switch

configuration, so it does not know what VLAN the native packets are in. Therefore, you must tell the

IDSM2 which VLAN is the native VLAN for that port. Then the IDSM2 treats any untagged packets as

if they were tagged with the native VLAN ID.

For More Information

For a list of restrictions pertaining to IPS sensor interfaces, see

Interface Restrictions, page 1-10

Deploying VLAN Groups

Because a VLAN group of an inline pair does not translate the VLAN ID, an inline paired interface must

exist between two switches to use VLAN groups on a logical interface. For an appliance, you can connect

the two pairs to the same switch, make them access ports, and then set the access VLANs for the two

ports differently. In this configuration, the sensor connects between two VLANs, because each of the

two ports is in access mode and carries only one VLAN. In this case the two ports must be in different

VLANs, and the sensor bridges the two VLANs, monitoring any traffic that flows between the two

VLANs. The IDSM2 also operates in this manner, because its two data ports are always connected to the

same switch.

You can also connect appliances between two switches. There are two variations. In the first variation,

the two ports are configured as access ports, so they carry a single VLAN. In this way, the sensor bridges

a single VLAN between the two switches.

In the second variation, the two ports are configured as trunk ports, so they can carry multiple VLANs.

In this configuration, the sensor bridges multiple VLANs between the two switches. Because multiple

VLANs are carried over the inline interface pair, the VLANs can be divided into groups and each group

can be assigned to a virtual sensor. The second variation does not apply to the IDSM2 because it cannot

be connected in this way.