Document ID: 107540
Contents
Introduction
Prerequisites
Requirements
Components Used
Related Products
Conventions
Inline Interface Pairs Configuration
CLI Configuration
Configure the Switch for IDSM-2 in Inline Mode
Troubleshoot
Problem
Solution
NetPro Discussion Forums - Featured Conversations
Related Information
Introduction
Operating in Inline Interface Pair mode puts the Intrusion Prevention System (IPS) directly into the traffic flow and affects packet-forwarding rates, which makes them slower when latency is added. This allows the sensor to stop attacks so it drops malicious traffic before it reaches the intended target, thus it provides a protective service. Not only is the inline device processing information on Layers 3 and 4, but it also analyzes the contents and payload of the packets for more sophisticated embedded attacks (Layers 3 to 7). This deeper analysis lets the system identify and stop and/or block attacks that normally pass through a traditional firewall device.
In Inline Interface Pair mode, a packet comes in through the first interface of the pair on the sensor and out the second interface of the pair. The packet is sent to the second interface of the pair unless that packet is being denied or modified by a signature.
Note: You can configure AIM-IPS and AIP-SSM to operate inline even though these modules have only one sensing interface.
Note: If the paired interfaces are connected to the same switch, you should configure them on the switch as access ports with different access VLANs for the two ports. Otherwise, traffic does not flow through the inline interface.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on Cisco IPS Sensor that uses the Command Line Interface 5.1.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Related Products
The information in this document is also applicable to the Intrusion Detection System (IDSM-2) Services Module.
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Inline Interface Pairs Configuration
Use the inline-interfaces name command in the service interface submode in order to create inline interface pairs.
Note: Use the Command Lookup Tool ( registered customers only) in order to obtain more information on the commands used in this section.
Note: AIP-SSM is configured for inline interface mode from the Cisco ASA CLI and not from the Cisco IPS CLI.
These options apply:
-
inline-interfaces name —Name of the logical inline interface pair
Note: On all backplane sensing interfaces on all modules (IDSM-2 NM-CIDS, and AIP-SSM), admin-state is set to enabled and is protected (you cannot change the setting). The admin-state has no effect (and is protected) on the command and control interface. It only affects sensing interfaces. The command and control interface does not need to be enabled because it cannot be monitored.
-
default—Sets the value back to the system default setting
-
description—Your description of the inline interface pair
-
interface1 interface_name—The first interface in the inline interface pair
-
interface2 interface_name—The second interface in the inline interface pair
-
no—Removes an entry or selection setting
-
admin-state {enabled | disabled}—The administrative link state of the interface, whether the interface is enabled or disabled.
CLI Configuration
Complete these steps in order to configure the inline VLAN pair settings on the sensor:
-
Log in to the CLI with an account that has administrator privileges.
-
Enter the interface submode:
sensor#configure terminal sensor(config)#service interface sensor(config-int)#
-
Verify if any inline interfaces exist. The subinterface type should read none if no inline interfaces have been configured:
sensor(config-int)#show settings physical-interfaces (min: 0, max: 999999999, current: 2) ----------------------------------------------- <protected entry> name: GigabitEthernet0/0 <defaulted> ----------------------------------------------- media-type: tx <protected> description: <defaulted> admin-state: disabled <protected> duplex: auto <defaulted> speed: auto <defaulted> alt-tcp-reset-interface ----------------------------------------------- none ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- subinterface-type ----------------------------------------------- none ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- <protected entry> name: GigabitEthernet0/1 <defaulted> ----------------------------------------------- media-type: tx <protected> description: <defaulted> admin-state: disabled <defaulted> duplex: auto <defaulted> speed: auto <defaulted> alt-tcp-reset-interface ----------------------------------------------- none ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- subinterface-type ----------------------------------------------- none ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- <protected entry> name: GigabitEthernet0/2 <defaulted> ----------------------------------------------- media-type: tx <protected> description: <defaulted> admin-state: disabled <defaulted> duplex: auto <defaulted> speed: auto <defaulted> alt-tcp-reset-interface ----------------------------------------------- none ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- subinterface-type ----------------------------------------------- none ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- <protected entry> name: GigabitEthernet0/3 <defaulted> ----------------------------------------------- media-type: tx <protected> description: <defaulted> admin-state: disabled <defaulted> duplex: auto <defaulted> speed: auto <defaulted> alt-tcp-reset-interface ----------------------------------------------- none ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- subinterface-type ----------------------------------------------- none ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- <protected entry> name: Management0/0 <defaulted> ----------------------------------------------- media-type: tx <protected> description: <defaulted> admin-state: disabled <protected> duplex: auto <defaulted> speed: auto <defaulted> alt-tcp-reset-interface ----------------------------------------------- none ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- subinterface-type ----------------------------------------------- none ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- command-control: Management0/0 <protected> inline-interfaces (min: 0, max: 999999999, current: 0) ----------------------------------------------- ----------------------------------------------- bypass-mode: auto <defaulted> interface-notifications ----------------------------------------------- missed-percentage-threshold: 0 percent <defaulted> notification-interval: 30 seconds <defaulted> idle-interface-delay: 30 seconds <defaulted> ----------------------------------------------- sensor(config-int)# -
Name the inline pair:
sensor(config-int)#inline-interfaces PAIR1
-
Display the list of available interfaces:
sensor(config-int)#physical-interfaces ? GigabitEthernet0/0 GigabitEthernet0/0 physical interface. GigabitEthernet0/1 GigabitEthernet0/1 physical interface. GigabitEthernet0/2 GigabitEthernet0/2 physical interface. GigabitEthernet0/3 GigabitEthernet0/3 physical interface. Management0/0 Management0/0 physical interface. sensor(config-int)#physical-interfaces
-
Configure two interfaces into a pair:
sensor(config-int)#interface1 GigabitEthernet0/0
sensor(config-int-inl)#interface2 GigabitEthernet0/1
You must assign the interface to a virtual sensor and enable it before it can monitor traffic. See step 10 for more information.
-
Add a description of this interface:
sensor(config-int-phy)#description PAIR1 Gig0/0 and Gig0/1
-
Repeat steps 4 through 7 for any other interfaces that you want to configure into inline interface pairs.
-
Verify the settings:
sensor(config-int-inl)#show settings name: PAIR1 ----------------------------------------------- description: PAIR1 Gig0/0 & Gig0/1 default: interface1: GigabitEthernet0/0 interface2: GigabitEthernet0/1 ----------------------------------------------- -
Enable the interfaces assigned to the interface pair:
sensor(config-int)#exit sensor(config-int)#physical-interfaces GigabitEthernet0/0 sensor(config-int-phy)#admin-state enabled sensor(config-int-phy)#exit sensor(config-int)#physical-interfaces GigabitEthernet0/1 sensor(config-int-phy)#admin-state enabled sensor(config-int-phy)#exit sensor(config-int)#
-
Verify that the interfaces are enabled:
sensor(config-int)#show settings physical-interfaces (min: 0, max: 999999999, current: 5) ----------------------------------------------- <protected entry> name: GigabitEthernet0/0 ----------------------------------------------- media-type: tx <protected> description: <defaulted> admin-state: enabled default: disabled duplex: auto <defaulted> speed: auto <defaulted> default-vlan: 0 <defaulted> alt-tcp-reset-interface ----------------------------------------------- none ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- subinterface-type ----------------------------------------------- none ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- <protected entry> name: GigabitEthernet0/1 ----------------------------------------------- media-type: tx <protected> description: <defaulted> admin-state: enabled default: disabled duplex: auto <defaulted> speed: auto <defaulted> default-vlan: 0 <defaulted> alt-tcp-reset-interface ----------------------------------------------- none ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- subinterface-type ----------------------------------------------- none ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- <protected entry> name: GigabitEthernet0/2 <defaulted> ----------------------------------------------- media-type: tx <protected> description: <defaulted> admin-state: disabled <defaulted> duplex: auto <defaulted> speed: auto <defaulted> default-vlan: 0 <defaulted> alt-tcp-reset-interface ----------------------------------------------- none ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- subinterface-type ----------------------------------------------- none ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- <protected entry> name: GigabitEthernet0/3 <defaulted> ----------------------------------------------- media-type: tx <protected> --MORE-- -
Issue this command in order to delete an inline interface pair and return the interfaces to promiscuous mode:
sensor(config-int)#no inline-interfaces PAIR1
You must also delete the inline interface pair from the virtual sensor to which it is assigned.
-
Verify the inline interface pair has been deleted:
sensor(config-int)#show settings ----------------------------------------------- command-control: Management0/0 <protected> inline-interfaces (min: 0, max: 999999999, current: 0) ----------------------------------------------- ----------------------------------------------- bypass-mode: auto <defaulted> interface-notifications -----------------------------------------------
-
Exit interface configuration submode:
sensor(config-int)#exit Apply Changes:?[yes]:
-
Press Enter in order to apply the changes or enter no in order to discard them.
Configure the Switch for IDSM-2 in Inline Mode
Refer to the Configuring the Catalyst Series 6500 Switch for IDSM-2 in Inline Mode section of Configuring IDSM-2 in order to configure the switch for IDSM-2 inline mode.
Troubleshoot
Problem
If the IPS fails and it is configured inline, do the interfaces fail open (traffic continues to pass) or closed (traffic is dropped).
Solution
You can configure IPS in fail-open state. Thus, if the IPS fails it will continue to pass the traffic, but it will not monitor the traffic.
NetPro Discussion Forums - Featured Conversations
| NetPro Discussion Forums - Featured Conversations for Security |
| Security: Intrusion Detection [Systems] |
| Security: AAA |
| Security: General |
| Security: Firewalling |
Related Information
- Cisco ASA 5500 Series Adaptive Security Appliances
- Cisco Intrusion Prevention System
- Cisco IPS 4200 Series Sensors
- Technical Support & Documentation - Cisco Systems
| Updated: Jul 10, 2008 | Document ID: 107540 |