Cisco Cisco IPS 4255 Sensor Technisches Handbuch
Note: While IME can be used to monitor sensor devices that run Cisco IPS 5.0 and later, some of the
new features and functionality delivered in IME are only supported on sensors that run Cisco IPS 6.1
or later.
new features and functionality delivered in IME are only supported on sensors that run Cisco IPS 6.1
or later.
Note: Cisco Secure Intrusion Prevention System (IPS) 5.x supports only the default virtual sensor
vs0. Virtual sensors other than the default vs0 are supported in IPS 6.x and later.
vs0. Virtual sensors other than the default vs0 are supported in IPS 6.x and later.
The information in this document was created from the devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.
Related Products
This configuration can also be used with these sensors:
IPS−4240
•
IPS−4255
•
IPS−4260
•
IPS−4270−20
•
AIP−SSM
•
Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Background Information
About Analysis Engine
Analysis Engine performs packet analysis and alert detection. It monitors traffic that flows through specified
interfaces. You create virtual sensors in Analysis Engine. Each virtual sensor has a unique name with a list of
interfaces, inline interface pairs, inline VLAN pairs, and VLAN groups associated with it. In order to avoid
definition ordering issues, no conflicts or overlaps are allowed in assignments. You assign interfaces, inline
interface pairs, inline VLAN pairs, and VLAN groups to a specific virtual sensor so that no packet is
processed by more than one virtual sensor. Each virtual sensor is also associated with a specifically named
signature definition, event action rules, and anomaly detection configuration. Packets from interfaces, inline
interface pairs, inline VLAN pairs, and VLAN groups that are not assigned to any virtual sensor are disposed
of based on the inline bypass configuration.
interfaces. You create virtual sensors in Analysis Engine. Each virtual sensor has a unique name with a list of
interfaces, inline interface pairs, inline VLAN pairs, and VLAN groups associated with it. In order to avoid
definition ordering issues, no conflicts or overlaps are allowed in assignments. You assign interfaces, inline
interface pairs, inline VLAN pairs, and VLAN groups to a specific virtual sensor so that no packet is
processed by more than one virtual sensor. Each virtual sensor is also associated with a specifically named
signature definition, event action rules, and anomaly detection configuration. Packets from interfaces, inline
interface pairs, inline VLAN pairs, and VLAN groups that are not assigned to any virtual sensor are disposed
of based on the inline bypass configuration.
About Virtual Sensors
The sensor can receive data inputs from one or many monitored data streams. These monitored data streams
can either be physical interface ports or virtual interface ports. For example, a single sensor can monitor
traffic from in front of the firewall, from behind the firewall, or from in front of and behind the firewall
concurrently. And a single sensor can monitor one or more data streams. In this situation, a single sensor
policy or configuration is applied to all monitored data streams. A virtual sensor is a collection of data that is
defined by a set of configuration policies. The virtual sensor is applied to a set of packets as defined by
interface component. A virtual sensor can monitor multiple segments, and you can apply a different policy or
configuration for each virtual sensor within a single physical sensor. You can set up a different policy per
monitored segment under analysis. You can also apply the same policy instance, for example, sig0, rules0, or
ad0, to different virtual sensors. You can assign interfaces, inline interface pairs, inline VLAN pairs, and
VLAN groups to a virtual sensor.
can either be physical interface ports or virtual interface ports. For example, a single sensor can monitor
traffic from in front of the firewall, from behind the firewall, or from in front of and behind the firewall
concurrently. And a single sensor can monitor one or more data streams. In this situation, a single sensor
policy or configuration is applied to all monitored data streams. A virtual sensor is a collection of data that is
defined by a set of configuration policies. The virtual sensor is applied to a set of packets as defined by
interface component. A virtual sensor can monitor multiple segments, and you can apply a different policy or
configuration for each virtual sensor within a single physical sensor. You can set up a different policy per
monitored segment under analysis. You can also apply the same policy instance, for example, sig0, rules0, or
ad0, to different virtual sensors. You can assign interfaces, inline interface pairs, inline VLAN pairs, and
VLAN groups to a virtual sensor.