Understanding Interfaces
Tip |
This topic is an overview of IPS interfaces. For more detailed information, including the specific interface names and locations for each type of appliance and service module, supported roles, configuration restrictions, and hardware considerations, refer to the “Configuring Interfaces” chapter of the Installing and Using Cisco Intrusion Prevention System Device Manager for the IPS software version you are using on Cisco.com. The information is also in the IME and CLI guidesFor general information, see http://www.cisco.com/go/ips. |
The sensor interfaces are named according to the maximum speed and physical location of the interface. For example, GigabitEthernet2/1 supports a maximum speed of 1 Gigabit and is the second-from-the-right interface in the second-from-the bottom expansion slot.
There are three interface roles:
-
Command and control—The command and control interface has an IP address and is used for configuring the sensor. It receives security and status events from the sensor and queries the sensor for statistics.
The command and control interface is permanently enabled. It is permanently mapped to a specific physical interface, which depends on the specific model of sensor. You cannot use the command and control interface as either a sensing or alternate TCP reset interface. See the IPS document cited above for a list of command and control interfaces by device type.
-
Sensing—Sensing interfaces are used by the sensor to analyze traffic for security violations. A sensor has one or more sensing interfaces depending on the sensor. Sensing interfaces can operate individually in promiscuous mode or you can pair them to create inline interfaces. In promiscuous mode, packets do not flow through the sensor; the sensor analyzes a copy of the monitored traffic. In inline mode, the IPS is in the traffic flow and can directly affect the traffic. For more information about sensing modes, see Understanding Interface Modes.
Note |
On appliances, all sensing interfaces are disabled by default. You must enable them to use them. On modules, the sensing interfaces are permanently enabled. See the IPS document cited above for a list of sensing interfaces by device type. |
-
Alternate TCP reset—You can configure sensors to send TCP reset packets to try to reset a network connection between an attacker host and its intended target host. In some installations when the interface is operating in promiscuous mode, the sensor may not be able to send the TCP reset packets over the same sensing interface on which the attack was detected. In such cases, you can associate the sensing interface with an alternate TCP reset interface and any TCP resets that would otherwise be sent on the sensing interface when it is operating in promiscuous mode are instead sent out on the associated alternate TCP reset interface.
If a sensing interface is associated with an alternate TCP reset interface, that association applies when the sensor is configured for promiscuous mode but is ignored when the sensing interface is configured for inline mode (interface or VLAN pair), because TCP resets are always sent on the sensing interfaces in those modes.
Note |
With the exception of IDSM-2, any sensing interface can serve as the alternate TCP reset interface for another sensing interface. The alternate TCP reset interface on IDSM-2 is fixed because of hardware limitation. However, there is only one sensing interface on IPS modules (on routers or ASA devices), so you cannot specify an alternate TCP reset interface on them. See the IPS document cited above for a list of eligible alternate TCP reset interfaces by device type, and for more information about the conditions under which you would use one. |