Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 6.0
Installing IPS 4270-20
Downloads: This chapterpdf (PDF - 3.36MB) The complete bookPDF (PDF - 9.72MB) | Feedback

Installing IPS 4270-20

Table Of Contents

Installing IPS 4270-20

Introducing IPS 4270-20

Supported Interface Cards

Hardware Bypass

4GE Bypass Interface Card

Hardware Bypass Configuration Restrictions

Hardware Bypass and Link Changes and Drops

Front, Back Panel, and Internal Features

Diagnostic Panel

Specifications

Accessories

Installing the Rail System Kit

Overview

Rail System Kit Contents

Space and Airflow Requirements

Installing the IPS 4270-20 in the Rack

Extending the IPS 4270-20 from the Rack

Installing the Cable Management Arm

Converting the Cable Management Arm

Installing the IPS 4270-20

Removing and Replacing the Chassis Cover

Accessing the Diagnostic Panel

Installing and Removing Interface Cards

Installing and Removing the Power Supply

Installing and Removing Fans

Troubleshooting Loose Connections


Installing IPS 4270-20



Note The number of concurrent CLI sessions is limited based on the platform. IDS 4215 and NM-CIDS are limited to three concurrent CLI sessions. All other platforms allow ten concurrent sessions.


This chapter describes IPS 4270-20 and how to install it. It also describes the accessories and how to install them. This chapter contains the following sections:

Introducing IPS 4270-20

Supported Interface Cards

Hardware Bypass

Front, Back Panel, and Internal Features

Diagnostic Panel

Specifications

Accessories

Installing the Rail System Kit

Installing the IPS 4270-20

Removing and Replacing the Chassis Cover

Accessing the Diagnostic Panel

Installing and Removing Interface Cards

Installing and Removing the Power Supply

Installing and Removing Fans

Troubleshooting Loose Connections


Caution The BIOS on IPS 4270-20 is specific to IPS 4270-20 and must only be upgraded under instructions from Cisco with BIOS files obtained from the Cisco website. Installing a non-Cisco or third-party BIOS on IPS 4270-20 voids the warranty. For more information on how to obtain instructions and BIOS files from the Cisco website, see Obtaining Cisco IPS Software.

Introducing IPS 4270-20

IPS 4270-20 delivers up to 4 Gbps of performance in media-rich environments and 2 Gbps in transactional environments enabling you to protect fully saturated Gigabit networks and aggregate network traffic on multiple sensing interfaces. IPS 4270-20 is also inline ready and has support for both copper and fiber NICs thus providing flexibility of deployment in any environment.

Media-rich environments are characterized by content, such as that seen on popular websites with video and file transfer. Transactional environments are characterized by connections, such as E-commerce, instant messaging, and voice.

Figure 6-1 demonstrates the spectrum of media-rich and transactional environments.

Figure 6-1 Media-rich and Transactional Environments

IPS 4270-20 has two built-in GigabitEthernet network ports and nine expansion slots. The network port numbers are numbered from top to bottom beginning with 0 and the expansion slot numbers increase from right to left. The two built-in GigabitEthernet ports are used for management and are called Management0/0 and Management0/1. Management0/1 is reserved for future use. Slots 1 and 2 are reserved for future use. You can populate slots 3 through 8 with supported network interface cards. Slot 9 is populated by a RAID controller card and is not available for use by network interface cards. The sensing interfaces are called GigabitEthernet.

Because of the multiple interfaces on IPS 4270-20, it can cover multiple subnets, each of which have bandwidth requirements in the multi-T3 range or Gigabit range, and the multiple interfaces can be connected directly to the additional monitoring interfaces without needing to SPAN the traffic through a switch.

For improved reliability, IPS 4270-20 uses a compact flash device for storage rather than a hard-disk drive. IPS 4270-20 supports two optional network interface cards, the 2SX interface card with fiber-optic ports, and the 4GE bypass interface card with copper ports that contains the hardware-bypass feature. Initially IPS 4270-20 supports only the built-in interfaces and these two interface cards.

IPS 4270-20 supports a maximum of 16 sensing ports. Any additional configured ports will not be monitored and will not appear in the IPS configuration or statistics and no inline traffic will be forwarded on or between these ports. You receive the following error if you exceed the number of supported ports:

The number of installed network interfaces exceeds the limit of 16. The excess interfaces 
are ignored.
 
   

Note If you add a new interface card that exceeds the limit, one or more of the previous sensing interfaces may become disabled.


IPS 4270-20 ships with two power supplies, thus supporting a redundant power supply configuration. IPS 4270-20 operates in load-sharing mode when the redundant power supply is installed.


Note On IPS sensors with multiple processors (for example, the IPS 4260 and IPS 4270-20), packets may be captured out of order in the IP logs and by the packet command. Because the packets are not processed using a single processor, the packets can become out of sync when received from multiple processors.


For More Information

For more information on sensor interfaces, see Understanding Sensor Interfaces.

For more information on the supported PCI cards, see Supported Interface Cards.

For more information on the 4GE bypass interface card, see Hardware Bypass.

For an illustration of how the network ports and expansion slots are numbered, see Figure 6-7.

For more information on power supplies, see Installing and Removing the Power Supply.

Supported Interface Cards

The IPS 4270-20 supports two interface cards—the 4GE bypass interface card (part number IPS-4GE-BP-INT=) and the 2SX card (part number IPS-2SX-INT=).

GigabitEthernetslot_number/port_number is the expansion card interface naming convention for the IPS 4270-20. The slot number is shown above the slot in the chassis and the port number is numbered from top to bottom starting with 0.

4GE Bypass Interface Card

Provides four 10/100/1000BASE-T (4GE) monitoring interfaces (allowing up to 16 total monitoring interfaces). The 4GE bypass interface card supports hardware bypass.

Figure 6-2 shows the 4GE bypass interface card.

Figure 6-2 4GE Bypass Interface Card

2SX Card

Provides two 1000BASE-SX (fiber) monitoring interfaces (allowing up to 12 total fiber monitoring interfaces). The 2SX card ports require a multi-mode fiber cable with an LC connector to connect to the SX interface of the sensor. The 2SX interface card does not support hardware bypass.

Figure 6-3 shows the 2SX interface card.

Figure 6-3 2SX Interface Card

Hardware Bypass

This section describes the 4GE bypass interface card and its configuration restrictions. It contains the following topics:

4GE Bypass Interface Card

Hardware Bypass Configuration Restrictions

Hardware Bypass and Link Changes and Drops

4GE Bypass Interface Card

The IPS 4260 and IPS 4270-20 support the 4-port GigabitEthernet card (part number IPS-4GE-BP-INT=) with hardware bypass. This 4GE bypass interface card supports hardware bypass only between ports 0 and 1 and between ports 2 and 3.


Note To disable hardware bypass, pair the interfaces in any other combination, for example 2/0<->2/2 and 2/1<->2/3.


Hardware bypass complements the existing software bypass feature in IPS 6.0. The following conditions apply to hardware bypass and software bypass:

When bypass is set to OFF, software bypass is not active.

For each inline interface for which hardware bypass is available, the component interfaces are set to disable the fail-open capability. If SensorApp fails, the sensor is powered off, reset, or if the NIC interface drivers fail or are unloaded, the paired interfaces enter the fail-closed state (no traffic flows through inline interface or inline VLAN subinterfaces).

When bypass is set to ON, software bypass is active.

Software bypass forwards packets between the paired physical interfaces in each inline interface and between the paired VLANs in each inline VLAN subinterface. For each inline interface on which hardware bypass is available, the component interfaces are set to standby mode. If the sensor is powered off, reset, or if the NIC interfaces fail or are unloaded, those paired interfaces enter fail-open state in hardware (traffic flows unimpeded through inline interface). Any other inline interfaces enter fail-closed state.

When bypass is set to AUTO (traffic flows without inspection), software bypass is activated if sensorApp fails.

For each inline interface on which hardware bypass is available, the component interfaces are set to standby mode. If the sensor is powered off, reset, or if the NIC interfaces fail or are unloaded, those paired interfaces enter fail-open state in hardware. Any other inline interfaces enter the fail-closed state.


Note To test fail-over, set the bypass mode to ON or AUTO, create one or more inline interfaces and power down the sensor and verify that traffic still flows through the inline path.


For More Information

For the procedure for installing and removing the 4GE bypass interface card, see Installing and Removing Interface Cards.

For more information on software bypass mode, refer to Configuring Bypass Mode.

Hardware Bypass Configuration Restrictions

To use the hardware bypass feature on the 4GE bypass interface card, you must pair interfaces to support the hardware design of the card. If you create an inline interface that pairs a hardware-bypass-capable interface with an interface that violates one or more of the hardware-bypass configuration restrictions, hardware bypass is deactivated on the inline interface and you receive a warning message similar to the following:

Hardware bypass functionality is not available on Inline-interface pair0. 
Physical-interface GigabitEthernet2/0 is capable of performing hardware bypass only when 
paired with GigabitEthernet2/1, and both interfaces are enabled and configured with the 
same speed and duplex settings.
 
   

The following configuration restrictions apply to hardware bypass:

The 4-port bypass card is only supported on the IPS 4260 and IPS 4270-20.

Fail-open hardware bypass only works on inline interfaces (interface pairs), not on inline VLAN pairs.

Fail-open hardware bypass is available on an inline interface if all of the following conditions are met:

Both of the physical interfaces support hardware bypass.

Both of the physical interfaces are on the same interface card.

The two physical interfaces are associated in hardware as a bypass pair.

The speed and duplex settings are identical on the physical interfaces.

Both of the interfaces are administratively enabled.

Autonegotiation must be set on MDI/X switch ports connected to the IPS 4260 and IPS 4270-20.

You must configure both the sensor ports and the switch ports for autonegotiation for hardware bypass to work. The switch ports must support MDI/X, which automatically reverses the transmit and receive lines if necessary to correct any cabling problems. The sensor is only guaranteed to operate correctly with the switch if both of them are configured for identical speed and duplex, which means that the sensor must be set for autonegotiation too.

Hardware Bypass and Link Changes and Drops

Properly configuring and deploying hardware bypass protects against complete link failure if the IPS appliance experiences a power loss, critical hardware failure, or is rebooted; however, a link status change still occurs when hardware bypass engages (and again when it disengages).

During engagement, the interface card disconnects both physical connections from itself and bridges them together. The interfaces of the connected devices can then negotiate the link and traffic forwarding can resume. Once the appliance is back online, hardware bypass disengages and the interface card interrupts the bypass and reconnects the links back to itself. The interface card then negotiates both links and traffic resumes.

There is no built-in way to completely avoid link status changes and drops. However, you can greatly reduce the interruption time (in some cases to sub-second times) by doing the following:

Make sure you use CAT 5e/6-certified cabling for all connections.

Make sure the interfaces of the connected devices are configured to match the interfaces of the appliance for speed/duplex negotiation (auto/auto).

Enable portfast on connected switchports to reduce spanning-tree forwarding delays.

Front, Back Panel, and Internal Features

This section describes the IPS 4270-20 front, back panel, and internal features.

Figure 6-4 shows the front view of the IPS 4270-20.

Figure 6-4 IPS 4270-20 Front View

Figure 6-5 shows the front panel switches and indicators.

Figure 6-5 IPS 4270-20 Front Panel Switches and Indicators

Table 6-1 describes the front panel switches and indicators on the IPS 4270-20.

Table 6-1 Front Panel Switches and Indicators 

Indicator
Description

UID switch and indicator

Toggles the system ID indicator, which assists with chassis location in a rack:

Blue—Activated

Off—Deactivated

Note The ID switch is activated by a switch on the front of the chassis.

Internal system health indicator

Indicates internal system health:

Green—System on

Flashing amber—System health degraded

Flashing red—System health critical

Off—System off

Power status indicator

Indicates the power supply status:

Green—Power supply on

Flashing amber—Power supply health degraded

Flashing red—Power supply health critical

Off—Power supply off

MGMT0/0 indicator

Indicates the status of the management port:

Green—Linked to network

Flashing green—Linked with activity on the network

Off—No network connection

MGMT0/1 indicator

Reserved for future use

Power switch and indicator

Turns power on and off:

Amber—System has AC power and is in standby mode

Green—System has AC power and is turned on

Off—System has no AC power


Figure 6-6 shows the internal components of the IPS 4270-20.

Figure 6-6 IPS 4270-20 Internal Components

Figure 6-7 shows the back view of the IPS 4270-20.

Figure 6-7 IPS 4270-20 Back Panel Features

Figure 6-8 shows the built-in Ethernet port, which has two indicators per port, and the power supply indicators.

Figure 6-8 Ethernet Port Indicators

Table 6-2 describes the Ethernet port indicators.

Table 6-2 Ethernet Port Indicators 

Indicator
Indicator (Green)
Description

Activity

On or flashing
Off

Network activity
No network activity

Link

On
Off

Linked to network
Not linked to network


Table 6-3 describes the power supply indicators.

Table 6-3 Power Supply Indicators 

Fail Indicator 1
Amber
Power Indicator 2
Green
Description

Off

Off

No AC power to any power supply

Flashing

Off

Power supply failure (over current)

On

Off

No AC power to this power supply

Off

Flashing

AC power present

Standby mode

Off

On

Normal


Diagnostic Panel

The front panel health indicators only indicate the current hardware status. The Diagnostic Panel indicators identify components experiencing an error, event, or failure. All indicators are off unless one of the component fails.


Note When you remove the chassis cover to view the Diagnostic Panel, leave the IPS 4270-20 powered on. Powering off the IPS 4270-20 clears the Diagnostic Panel indicators.


Figure 6-9 shows the Diagnostic Panel.

Figure 6-9 Diagnostic Panel

Table 6-4 lists the indicators that display health status for each component:

Table 6-4 Diagnostic Panel Indicators 

Indicator
Component

PS1

Power supply (primary)

PS2

Power supply (optional)

CPU BD (power fault)

Processor memory module board

I/O BD

System board

NMI

System NMI switch

Slot X

Expansion slot

CPU BD (interlock error)

System board

PPM X

Processor power module

1A-32D

DIMM Slot

PROC X

Processor

FAN X

Fan


For More Information

For the location of the Diagnostic Panel in the IPS 4270-20 chassis, see Figure 6-6 shows the internal components of the IPS 4270-20..

For information on how to access the Diagnostic Panel, see Accessing the Diagnostic Panel.

Specifications

Table 6-5 lists the specifications for the IPS 4270-20.

Table 6-5 IPS 4270-20 Specifications 

Dimensions and Weight
 

Height

6.94 in. (17.6 cm)

Width

19.0 in. (46.3 cm)

Depth

26.5 in. (67.3 cm)

Weight

80 lb (36.3 kg)

Form factor

4 RU, standard 19-inch rack-mountable

Power
 

Rated input voltage

100 to 127 VAC
200 to 240 VAC

Rated input frequency

50 to 60 Hz

Rated input power

1161W @ 100 VAC
1598W @ 200 VAC

Rated input current

12A (100 VAC)
8A (200 VAC)

Maximum heat dissipation

3960 BTU/hr (100 VAC)
5450 BTU/hr (200 VAC)

Power supply output

910 W (low line)
1300 W (high line)

Environment
 

Temperature

Operating 50 to 95°F (10 to 35°C)1
Nonoperating -40°F to 158°F (-40°C to 70°C)

Maximum wet bulb temperature

82.4°F (28°C)

Relative humidity (noncondensing)

Operating 10% to 90%
Nonoperating 5% to 95%

Altitude

Operating 0 to 10,000 ft (3050 m)
Nonoperating 0 to 30,000 ft (9144 m)

Shock

Operating Half-sine 2 G, 11 ms pulse, 100 pulses
Nonoperating 25 G, 170 inches/sec delta V

Vibration

2.2 Grms, 10 minutes per axis on all three axes

1 At sea level with an altitude derating of 1.8°F per every 1000 ft (1.0°C per every 3.0m) above sea level to a maximum of 10,000 ft (3050 m). no direct sustained sunlight.


Accessories

The IPS 4270-20 accessories kit contains the following:

DB-9 connector

DB-9/RJ-45 console cable

Two Ethernet RJ-45 cables

Regulatory Compliance and Safety Information for the Cisco Intrusion Detection and Prevention System 4200 Series Appliance Sensor

Documentation Roadmap for Cisco Intrusion Prevention System

Installing the Rail System Kit

You can install the IPS 4270-20 in a 4-post rack. This section describes how to install the IPS 4270-20 in a rack, and contains the following sections:

Overview

Rail System Kit Contents

Space and Airflow Requirements

Installing the IPS 4270-20 in the Rack

Extending the IPS 4270-20 from the Rack

Installing the Cable Management Arm

Converting the Cable Management Arm

Overview

This rail system supports a variety of products that can be installed in round-, square, or threaded-hole racks. Figure 6-10 shows the three rack hole-types. Use this illustration to identify your rack type and then follow the installation steps accordingly.

Figure 6-10 Round-, Square-, and Threaded-Hole Racks

No tools are required for the round- and square-hole racks. You may need screws that fit the threaded-hole rack and a driver for those screws.You need a standard screwdriver to remove the round- and square-hole studs from the slide assemblies when you install the security appliance in a threaded-whole rack.

This rail system supports a minimum rack depth of 24 in. (60.96 cm) and a maximum rack depth of 36.5 in. (92.71 cm).

Rail System Kit Contents

The rail system kit contains the following items:

Two slide assemblies

Two chassis rails

Four Velcro straps

Six zip ties

One cable management arm

A package of miscellaneous parts (screws, and so forth)

One cable management arm stop bracket

Space and Airflow Requirements

To allow for servicing and adequate airflow, follow these space and airflow requirements when choosing where to place a rack:

Leave a minimum clearance of 25 in. (63.5 cm) in front of the rack.

Leave a minimum clearance of 30 in. (76.2 cm) behind the rack.

Leave a minimum clearance of 48 in. (121.9 cm) from the back of the rack to the back of another rack or row of racks.

IPS 4270-20 draws in cool air through the front and expels warm air through the back. The front and back rack doors must be adequately ventilated to allow ambient room air to enter the chassis and the back must be adequately ventilated to allow warm air to escape from the chassis.

Installing the IPS 4270-20 in the Rack


Warning

To prevent bodily injury when mounting or servicing this unit in a rack, you must take special precautions to ensure that the system remains stable. The following guidelines are provided to ensure your safety:

This unit should be mounted at the bottom of the rack if it is the only unit in the rack.

When mounting this unit in a partially filled rack, load the rack from the bottom to the top with the heaviest component at the bottom of the rack.

If the rack is provided with stabilizing devices, install the stabilizers before mounting or servicing the unit in the rack. Statement 1006



Warning This procedure requires two or more people to position the IPS 4270-20 on the slide assemblies before pushing it in to the rack.

To install the IPS 4270-20 in the rack, follow these steps:


Step 1 Attach the chassis side rail to the IPS 4270-20 by aligning the chassis rail to the stud on the IPS 4270-20, pressing the chassis side rail in to the stud, and then sliding the chassis side rail backwards until you hear the latch catch.


Note The tapered end of the chassis side rail should be at the back of the IPS 4270-20. The chassis side rail is held in place by the inner latch.


Step 2 Repeat Step 1 for each chassis side rail.

Step 3 To remove the chassis side rail, lift the latch, and slide the rail forward.

Step 4 If you are installing the IPS 4270-20 in a shallow rack, one that is less than 28.5 in. (72.39 cm), remove the screw from the inside of the slide assembly before continuing with Step 5.

Step 5 Attach the slide assemblies to the rack.

For round- and square-hole racks:

a. Line up the studs on the slide assembly with the holes on the inside of the rack and snap in to place.

b. Adjust the slide assembly lengthwise to fit the rack.

The spring latch locks the slide assembly in to position.

c. Repeat for each slide assembly.

Make sure the slide assemblies line up with each other in the rack.

d. Lift the spring latch to release the slide assembly if you need to reposition it.

For threaded-hole racks:

a. Remove the eight round- or square-hole studs on each slide assembly using a standard screwdriver.


Note You may need a pair of pliers to hold the retaining nut.


b. Line up the bracket on the slide assembly with the rack holes, install two screws (top and bottom) on each end of the slide assembly.

c. Repeat for each slide assembly.

Step 6 Extend the slide assemblies out of the rack.

Step 7 Align the chassis side rails on the IPS 4270-20 with the slide assembly on both sides of the rack, release the blue slide tab (by either pulling the tab forward or pushing the tab back), and carefully push the IPS 4270-20 in to place.


Caution Keep the IPS 4270-20 parallel to the floor as you slide it in to the rails. Tilting the IPS 4270-20 up or down can damage the slide rails.

Step 8 If you are using the cable management arm, install it before you connect and route any cables.


Note You may also need longer cables when the arm is installed (an extra length of around 3 feet is required).


Step 9 Install the electrical cables at the back of the IPS 4270-20.


For More Information

For the procedure for installing the cable management arm, see Installing the Cable Management Arm.

For information on installing connections to the IPS 4270-20, see Installing the IPS 4270-20.

Extending the IPS 4270-20 from the Rack

You can extend the IPS 4270-20 from the rack for service or removal.


Caution You can only extend the IPS 4270-20 from the rack if the cable management arm is correctly installed with the cables routed through it or if all cables are disconnected from the back of the chassis. Otherwise, you risk damage to the cables and a possible shock hazard if the power cables get caught between the chassis and the rack.

To extend the IPS 4270-20 from the rack, follow these steps:


Step 1 Pull the quick-release levers on each side of the front bezel of the IPS 4270-20 to release it from the rack and extend it on the rack rails until the rail-release latches engage.


Note The release latches lock in to place when the rails are fully extended.


Step 2 After performing the installation or maintenance procedure, slide the IPS 4270-20 in to the rack by pressing the rail-release latches.

Step 3 To completely remove IPS 4270-20 from the rack, disconnect the cables from the back of the IPS 4270-20, push the release tab in the middle of the slide assembly forward, and pull the IPS 4270-20 from the rack.


Installing the Cable Management Arm


Note To hinge the cable management arm on the back right-hand side of the rack, see Converting the Cable Management Arm.


To install the cable management arm, follow these steps:


Step 1 Align the slide bracket on the cable management arm with the stud on the back of the IPS 4270-20 and align the two studs at the back of the chassis side rail, then slide down and lock in to place.

Step 2 Attach the cable trough to the back of the rack by pushing the lower metal tab on the cable management arm in to the slide assembly, then lifting the spring pin to lock it in to place.


Caution Make sure the metal tab is on the outside of the upper part of the cable management arm.


Note When properly installed, the cable management arm is attached to the IPS 4270-20 and the rack rail.


Step 3 Route the cables through the cable trough and secure the cables with the Velcro straps and black tie wraps.


Note After you route the cables through the cable management arm, make sure the cables are not pulled tight when the IPS 4270-20 is fully extended.



Caution Do not use the straps and zip ties to tie the two parts of the cable management arm together.

Step 4 Attach the cable management arm stop bracket to the ride side of the back of the rack by inserting the stop bracket in to the cable management arm bracket.


Converting the Cable Management Arm


Note The cable management arm is designed for ambidextrous use. You can convert the cable management arm from a left-hand swing to a right-hand swing.



Note Make sure to orient the management arm with the cable trough facing upward.


To convert the cable management arm swing, follow these steps:


Step 1 Pull up the spring pin and slide the bracket off the cable management arm.

Step 2 Remove the bottom sliding bracket and flip it over to the top of the bracket aligning the studs.

Step 3 On the other side of the sliding bracket, align the spring pin with the studs and key holes, and slide until the pin snaps in to place.


Note The sliding bracket only fits one way because the hole for the spring pin is offset.



Installing the IPS 4270-20


Warning IMPORTANT SAFETY INSTRUCTIONS

This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. Use the statement number provided at the end of each warning to locate its translation in the translated safety warnings that accompanied this device. Statement 1071

SAVE THESE INSTRUCTIONS

Warning Only trained and qualified personnel should be allowed to install, replace, or service this equipment. Statement 1030

Caution Follow proper safety procedures when performing these steps by reading the safety warnings in Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor.

To install the IPS 4270-20 on the network, follow these steps:


Step 1 Position the IPS 4270-20 on the network.

Step 2 Install the IPS 4270-20 in a rack, if you are rack mounting it.

Step 3 Connect the cable as shown in Step 4 so that you have either a DB-9 connector on one end as required by the serial port for your computer, and the other end is the RJ-45 connector.


Note Use the console port to connect to a computer to enter configuration commands. Locate the serial cable from the accessory kit. The serial cable assembly consists of a 180/rollover cable with RJ-45 connectors (DB-9 connector adapter PN 74-0495-01).



Note You can use a 180/rollover or straight-through patch cable to connect the appliance to a port on a terminal server with RJ-45 or hydra cable assembly connections. Connect the appropriate cable from the console port on the appliance to a port on the terminal server.


Step 4 Connect the RJ-45 to DB-9 adapter connector to the console port and connect the other end to the DB-9 connector on your computer.

Step 5 Attach the network cables.

The IPS 4270-20 has the following interfaces:

Management0/0 (MGMT0/0) is the command and control port.

GigabitEthernetslot_number/port_number through GigabitEthernetslot_number/port_number are the expansion ports.


Caution Management and console ports are privileged administrative ports. Connecting them to an untrusted network can create security concerns.

Step 6 Attach the power cables (there are two power supplies) to the IPS 4270-20 and plug them in to a power source (a UPS is recommended).

Step 7 Power on the IPS 4270-20.

Step 8 Initialize the IPS 4270-20.

Step 9 Upgrade the IPS 4270-20 with the most recent Cisco IPS software. You are now ready to configure intrusion prevention on the IPS 4270-20.


For More Information

For more information on working with electrical power and in an ESD environment, see Working in an ESD Environment.

For more information on the best place to position the IPS 4270-20 on the network, see Your Network Topology.

For the procedure for installing the IPS 4270-20 in a rack, see Installing the Rail System Kit.

For the instructions for setting up a terminal server, see Connecting an Appliance to a Terminal Server.

For the procedure for using the setup command to initialize the appliance, see Initializing the Appliance.

For the procedure for obtaining the latest IPS software, see Obtaining Cisco IPS Software.

For the procedure for using HTTPS to log in to the IDM, refer to Logging In to IDM.

For the procedures for configuring intrusion prevention on your sensor, refer to the following documents:

Installing and Using Cisco Intrusion Prevention System Device Manager 6.0

Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 6.0

Removing and Replacing the Chassis Cover


Warning This product relies on the building's installation for short-circuit (overcurrent) protection. Ensure that the protective device is rated not greater than 120 VAC, 20 A U.S. (240 VAC, 16-20 A International). Statement 1005

Warning This equipment must be grounded. Never defeat the ground conductor or operate the equipment in the absence of a suitably installed ground conductor. Contact the appropriate electrical inspection authority or an electrician if you are uncertain that suitable grounding is available. Statement 1024

Warning Blank faceplates and cover panels serve three important functions: they prevent exposure to hazardous voltages and currents inside the chassis; they contain electromagnetic interference (EMI) that might disrupt other equipment; and they direct the flow of cooling air through the chassis. Do not operate the system unless all cards, faceplates, front covers, and rear covers are in place. Statement 1029

Warning This unit might have more than one power supply connection. All connections must be removed to de-energize the unit. Statement 1028

Caution Follow proper safety procedures when removing and replacing the chassis cover by reading the safety warnings in Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor.


Note Removing the appliance chassis cover does not affect your Cisco warranty. Upgrading the IPS 4270-20 does not require any special tools and does not create any radio frequency leaks.



Caution Do not operate the IPS 4270-20 for long periods with the chassis cover open or removed. Operating it in this manner results in improper airflow and improper cooling that can lead to thermal damage.

To remove and replace the chassis cover, follow these steps:


Step 1 Log in to the CLI.

Step 2 Prepare the IPS 4270-20 to be powered off:

sensor# reset powerdown
 
   

Wait for the power down message before continuing with Step 3.


Note You can also power off the IPS 4270-20 using the IDM.


Step 3 Power off the IPS 4270-20.

Step 4 Remove both power cables from the IPS 4270-20.

Step 5 Extend the IPS 4270-20 out of the rack if it is rack-mounted.

Step 6 Make sure the IPS 4270-20 is in an ESD-controlled environment.

Step 7 If the locking latch is locked, use the T-15 Torx screwdriver located on the back of the chassis to unlock it. Turn the locking screw a quarter of a turn counterclockwise to unlock it.

Step 8 Lift up the cover latch on the top of the chassis.

Step 9 Slide the chassis cover back and up to remove it.


Caution Do not operate the IPS 4270-20 without the chassis cover installed. The chassis cover protects the internal components, prevents electrical shorts, and provides proper air flow for cooling the electronic components.

Step 10 To replace the chassis cover, position it on top of the chassis and slide it on. Push down on the cover latch to lock in to place.


Note Make sure the chassis cover is securely locked in to place before powering up the IPS 4270-20.


Step 11 Reattach the power cables to the IPS 4270-20.

Step 12 Reinstall the IPS 4270-200 in a rack, on a desktop, or on a table, or extend it back in to the rack.

Step 13 Power on the IPS 4270-20.


For More Information

For the procedure for powering down the IPS 4270-20 using the IDM, refer to Resetting the Appliance.

For more information on working with electrical power and in an ESD environment, see Working in an ESD Environment.

For the procedure for extending the IPS 4270-20 out of the rack, see Extending the IPS 4270-20 from the Rack.

For an illustration of the screwdriver and where it is located, see Figure 6-7.

For the procedure for reattaching the power cables to IPS 4270-20, see Installing the IPS 4270-20.

If you are reinstalling the IPS 4270-20 in a rack, see Installing the Rail System Kit

Accessing the Diagnostic Panel


Note When you remove the chassis cover to view the Diagnostic Panel, leave IPS 4270-20 powered on. Powering off the IPS 4270-20 clears the Diagnostic Panel indicators.


To access the Diagnostic Panel, follow these steps:


Step 1 Extend the IPS 4270-20 from the rack.

Step 2 Remove the chassis cover.

Step 3 Locate the Diagnostic Panel.

Follow the instructions in this chapter to remove and install failed components. For aid in troubleshooting, use the internal health indicators information when contacting TAC.


For More Information

For the procedure for extending the IPS 4270-20 out of the rack, see Extending the IPS 4270-20 from the Rack.

For the procedure for removing the chassis cover, see Removing and Replacing the Chassis Cover.

For the location of the Diagnostic Panel, see Figure 6-6.

For information on what internal health information each indicator displays, see Diagnostic Panel.

Installing and Removing Interface Cards

The IPS 4270-20 has nine expansion card slots. Slots 1 and 2 are PCI-X slots and are reserved for future use. Slots 3 through 9 are PCI-Express slots. All slots are full-height slots. Slot 9 is populated by a RAID controller card and is not available for use by network interface cards.


Caution To prevent damage to the IPS 4270-20 or the expansion cards, power off the IPS 4270-20 and remove all AC power cables before removing or installing expansion cards.


Caution To prevent improper cooling and thermal damage, do not operate the IPS 4270-20 unless all expansion slots have a cover or a card installed.

To install and remove interface cards, follow these steps:


Step 1 Log in to the CLI.

Step 2 Prepare the IPS 4270-20 to be powered off:

sensor# reset powerdown
 
   

Wait for the power down message before continuing with Step 3.


Note You can also power off IPS 4270-20 using the IDM.


Step 3 Power off the IPS 4270-20.

Step 4 Remove the power cables from the IPS 4270-20.

Step 5 If rack-mounted, extend the IPS 4270-20 from the rack.

Step 6 Make sure the IPS 4270-20 is in an ESD-controlled environment.

Step 7 Remove the chassis cover.

Step 8 To unlock the expansion card slot, push down on the center part of the blue tab and open the latch.

Step 9 To uninstall a card, lift the card out of the socket. To install a card, position the card so that its connector lines up over the socket on the mother board and push the card down in to the socket. Press down on the outer edge of the blue tab to lock the card in to place.


Note To remove full-length expansion cards, unlock the retaining clip. To install full-length expansion cards, lock the retaining clip.


Step 10 Replace the chassis cover.

Step 11 Slide the server back in to the rack by pressing the server rail-release handles.

Step 12 Reconnect the power cables to the IPS 4270-20.

Step 13 Power on the IPS 4270-20.


For More Information

For an illustration of the expansion card slots, see Figure 6-7.

For an illustration of the supported interface cards, see Supported Interface Cards.

For the procedure for powering off the IPS 4270-20 using the IDM, refer to Resetting the Appliance.

For the procedure for extending the IPS 4270-20 out of the rack, see Extending the IPS 4270-20 from the Rack.

For more information on working with electrical power and in an ESD environment, see Working in an ESD Environment.

For the procedure for removing and replacing the chassis cover, see Removing and Replacing the Chassis Cover.

Installing and Removing the Power Supply

The IPS 4270-20 ships with two hot-pluggable power supplies, thus providing a redundant power supply configuration. You can install or replace either power supply without powering off the IPS 4270-20, as long as one power supply is active and functioning correctly.


Caution If only one power supply is installed, do not remove the power supply unless the IPS 4270-20 has been powered down. Removing the only operational power supply causes an immediate power loss.

To install and remove power supplies, follow these steps:


Step 1 Log in to the CLI.


Note Power supplies are hot-pluggable. You can replace a power supply while the IPS 4270-20 is running, if you are replacing a redundant power supply.


Step 2 Prepare the IPS 4270-20 to be powered off (if you only have one active, functioning power supply):

sensor# reset powerdown
 
   

Wait for the power down message before continuing with Step 3.


Note You can also power off the IPS 4270-20 using the IDM.


Step 3 Power off the IPS 4270-20 (if you only have one active, functioning power supply).

Step 4 Remove the power cables from the IPS 4270-20.

Step 5 Use the T-15 Torx screwdriver that shipped with the IPS 4270-20 to remove the shipping screw.

The T-15 Torx screwdriver is located to the right of power supply 1 (see Figure 6-7).

Step 6 Remove the power supply by pulling it away from the chassis.

Step 7 Install the power supply. Make sure the handle is open and slide the power supply in to the bay.

Step 8 Lock the power supply handle.

Step 9 Reconnect the power cables.

Be sure that the power supply indicator is green and the front panel health indicator is green.


Note Make sure the two power supplies are powered by separate AC power sources so that the IPS 4270-20 is always available.


Step 10 Power on the IPS 4270-20.


For More Information

For the procedure for powering off the IPS 4270-20 using the IDM, refer to Resetting the Appliance.

Installing and Removing Fans

There are six fans in the IPS 4270-20. The IPS 4270-20 supports redundant hot-pluggable fans in a 5 + 1 configuration to provide proper airflow.

Figure 6-11 shows the fan, its connector, and its indicator.

Figure 6-11 Fan, Connector, and Indicator

The fan indicators provide the following information:

Green—Operating normally

Amber—Failed

Off— No power

To install and remove fans in the IPS 4270-20, follow these steps:


Step 1 Extend the server from the rack.

Step 2 Remove the chassis cover.

Step 3 Identify the failed fan by locating an amber indicator on top of the failed fan or a lighted FAN X indicator on the Diagnostic Panel.

Step 4 Remove the failed fan by grasping the red plastic handle and pulling up.


Note Remove and replace one fan at a time. If the IPS 4270-20 detects two failed fans, it shuts down to avoid thermal damage.


Step 5 Install a new fan by positioning the fan over the slot so that the connector below the fan indicator lines up with the connection on the motherboard. Push down until the fan clicks in to place.

Step 6 Make sure the indicator on each fan is green.


Note If the front panel internal system health indicator is not green after you install a fan, reseat the fan.


Step 7 Replace the chassis cover.

Step 8 Slide the IPS 4270-20 back in to the rack by pressing the rail-release handles.

Step 9 Power on the IPS 4270-20.


For More Information

For the fan locations, see Figure 6-6.

For the procedure for extending the IPS 4270-20 out of the rack, see Extending the IPS 4270-20 from the Rack.

For more information on working with electrical power and in an ESD environment, see Working in an ESD Environment.

For the procedure for removing and replacing the chassis cover, see Removing and Replacing the Chassis Cover.

For more information about the Diagnostic Panel, see Diagnostic Panel.

For the location of the connector, see Figure 6-11.

Troubleshooting Loose Connections

Perform the following actions to troubleshoot loose connections on a sensor:

Make sure all power cords are securely connected.

Make sure all cables are properly aligned and securely connected for all external and internal components.

Remove and check all data and power cables for damage. Make sure no cables have bent pins or damaged connectors.

Make sure each device is properly seated.

If a device has latches, make sure they are completely closed and locked.

Check any interlock or interconnect indicators that indicate a component is not connected properly.

If problems continue, remove and reinstall each device, checking the connectors and sockets for bent pins or other damage.