Cisco Cisco Firepower Management Center 4000 Installationsanleitung
3-7
Cisco NGIPS for Blue Coat X-Series Installation and Configuration Guide
Chapter 3 Installing Cisco NGIPS for Blue Coat X-Series
Preparing for the Installation
In this scenario, there are two VAPs in the VAP group named
ABC
, and you must assign two IP addresses.
You also want to preserve two additional IP addresses for potential expansion of the VAP group.
For this example, the following command sets the first available IP address to
10.1.16.107
and the
second available IP address to
10.1.16.108
, then sets aside two additional IP addresses (
10.1.16.109
and
10.1.16.110
)
for VAP group expansion:
CBS(conf-cct-vapgroup)# ip 10.1.16.107/24 10.1.16.255
increment-per-vap 10.1.16.110
When XOS V10.0 or later is configured for Series-9 operating mode, the
increment-per-vap
parameter
supports IPv4 or IPv6 addresses. For more information, see the XOS V10.0 Release Notes.
Tip
Blue Coat recommends increasing the outside range by two or three unused IP addresses to allow for
possible future expansion of the VAP group.
possible future expansion of the VAP group.
Step 6
Exit to the
conf-cct
context, by entering the following commands separately and in this sequence:
CBS(conf-cct-vapgroup-ip)# exit
CBS(conf-cct-vapgroup)# exit
Configuring Sensing Circuits
Sensing circuits are connections between points in the chassis or to external interfaces. You create
sensing circuits differently, depending on how Cisco NGIPS for Blue Coat X-Series is deployed:
sensing circuits differently, depending on how Cisco NGIPS for Blue Coat X-Series is deployed:
•
For passive deployments, create monitor (tap) circuits to ensure that a copy of the network traffic is
sent to the VAP group for analysis.
sent to the VAP group for analysis.
•
For inline deployments, create template (bridge) circuits and child circuits to provide logical
connections through a VAP group and between network interfaces.
connections through a VAP group and between network interfaces.
In either deployment, you must configure sensing circuits to ignore physical interface state by using the
link-state-resistant
command.
Note
Cisco NGIPS for Blue Coat X-Series does
not support configurable bypass (called inline with fail-open
in the FireSIGHT System, Version 4.10) interfaces.
Note that if a sensing circuit goes down, Cisco NGIPS for Blue Coat X-Series stops analyzing network
traffic until either the circuit comes up on its own or you remove the circuit from its interface on the
Defense Center. You can avoid this interruption in traffic by configuring redundancy for your VAP
group. For more information, see
traffic until either the circuit comes up on its own or you remove the circuit from its interface on the
Defense Center. You can avoid this interruption in traffic by configuring redundancy for your VAP
group. For more information, see
.
Use an easy
-
to
-
remember naming convention for bridge, child, and monitor circuits that best suits your
deployment. In the procedures that follow, the NPM_1 Gigabit Ethernet port 3 is named
n1e3
.
Caution
Do
not create a circuit or device name that starts with a numeric character.
For more information, see the following sections:
•
•
•