Interface Configuration Restrictions
The following restrictions apply to configuring interfaces on the sensor:
– For IPS standalone appliances with 1 G and 10 G fixed or add-on interfaces, the maximum jumbo frame size is 9216 bytes. For integrated IPS sensors, such as the ASA 5500-X and ASA 5585-X series, refer to the following URL for information:
Note A jumbo frame is an Ethernet packet that is larger than the standard maximum of 1518 bytes (including Layer 2 header and FCS).
– On the IPS 4500 series, no interface-related configurations are allowed when the SensorApp is down.
• Physical Interfaces
– On the ASA IPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP) all backplane interfaces have fixed speed, duplex, and state settings. These settings are protected in the default configuration on all backplane interfaces.
– For nonbackplane FastEthernet interfaces the valid speed settings are 10 Mbps, 100 Mbps, and auto. Valid duplex settings are full, half, and auto.
– For Gigabit copper interfaces (1000-TX on the IPS 4345, IPS 4360, IPS 4510, and IPS 4520), valid speed settings are 10 Mbps, 100 Mbps, 1000 Mbps, and auto. Valid duplex settings are full, half, and auto.
– For Gigabit (copper or fiber) interfaces, if the speed is configured for 1000 Mbps, the only valid duplex setting is auto.
– The command and control interface cannot also serve as a sensing interface.
• Inline Interface Pairs
– Inline interface pairs can contain any combination of sensing interfaces regardless of the physical interface type (copper versus fiber), speed, or duplex settings of the interface. However, pairing interfaces of different media type, speeds, and duplex settings may not be fully tested or supported.
– The command and control interface cannot be a member of an inline interface pair.
– You cannot pair a physical interface with itself in an inline interface pair.
– A physical interface can be a member of only one inline interface pair.
– You can only configure bypass mode and create inline interface pairs on sensor platforms that support inline mode.
– A physical interface cannot be a member of an inline interface pair unless the subinterface mode of the physical interface is
– You can configure the ASA IPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP) to operate inline even though they have only one sensing interface.
• Inline VLAN Pairs
– You cannot pair a VLAN with itself.
– You cannot use the default VLAN as one of the paired VLANs in an inline VLAN pair.
– For a given sensing interface, a VLAN can be a member of only one inline VLAN pair. However, a given VLAN can be a member of an inline VLAN pair on more than one sensing interface.
– The order in which you specify the VLANs in an inline VLAN pair is not significant.
– A sensing interface in Inline VLAN Pair mode can have from 1 to 255 inline VLAN pairs.
– The ASA IPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP) do not support inline VLAN pairs.
– For the IPS 4510 and IPS 4520, the maximum number of inline VLAN pairs you can create system wide is 150. On all other platforms, the limit is 255 per interface.
• Alternate TCP Reset Interface
– You can only assign the alternate TCP reset interface to a sensing interface. You cannot configure the command and control interface as an alternate TCP reset interface. The alternate TCP reset interface option is set to
as the default and is protected for all interfaces except the sensing interfaces.
– You can assign the same physical interface as an alternate TCP reset interface for multiple sensing interfaces.
– A physical interface can serve as both a sensing interface and an alternate TCP reset interface.
– The command and control interface cannot serve as the alternate TCP reset interface for a sensing interface.
– A sensing interface cannot serve as its own alternate TCP reset interface.
– You can only configure interfaces that are capable of TCP resets as alternate TCP reset interfaces.
– There is only one sensing interface on the ASA IPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP), so you cannot designate an alternate TCP reset interface.
• VLAN Groups
– You can configure any single interface for promiscuous, inline interface pair, or inline VLAN pair mode, but no combination of these modes is allowed.
– You cannot add a VLAN to more than one group on each interface.
– You cannot add a VLAN group to multiple virtual sensors.
– An interface can have no more than 255 user-defined VLAN groups.
– When you pair a physical interface, you cannot subdivide it; you can subdivide the pair.
– You can use a VLAN on multiple interfaces; however, you receive a warning for this configuration.
– You can assign a virtual sensor to any combination of one or more physical interfaces and inline VLAN pairs, subdivided or not.
– You can subdivide both physical and logical interfaces into VLAN groups.
– The CLI, IDM, and IME prompt you to remove any dangling references. You can leave the dangling references and continue editing the configuration.
– The CLI, IDM, and IME do not allow configuration changes in Analysis Engine that conflict with the interface configuration.
– The CLI allows configuration changes in the interface configuration that cause conflicts in the Analysis Engine configuration. The IDM and IME do
allow changes in the interface configuration that cause conflicts in the Analysis Engine configuration.
– The ASA IPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP) do not support VLAN groups mode.
For More Information
For more information on interface pair combinations, see Interface Support.