Cisco Cisco IPS 4255 Sensor Manuale Tecnico
Note: Cisco Secure Intrusion Prevention System (IPS) does not support more than four virtual sensors. The
default virtual sensor is vs0. You cannot delete the default virtual sensor. The interface list, the anomaly
detection operational mode, the inline TCP session tracking mode, and the virtual sensor description are the
only configuration features you can change for the default virtual sensor. You cannot change the signature
definition, event action rules, or anomaly detection policies.
default virtual sensor is vs0. You cannot delete the default virtual sensor. The interface list, the anomaly
detection operational mode, the inline TCP session tracking mode, and the virtual sensor description are the
only configuration features you can change for the default virtual sensor. You cannot change the signature
definition, event action rules, or anomaly detection policies.
Advantages and Restrictions of Virtualization
Advantages of Virtualization
Virtualization has these advantages:
You can apply different configurations to different sets of traffic.
•
You can monitor two networks with overlapping IP spaces with one sensor.
•
You can monitor both inside and outside of a firewall or NAT device.
•
Restrictions of Virtualization
Virtualization has these restrictions:
You must assign both sides of asymmetric traffic to the same virtual sensor.
•
The use of VACL capture or SPAN (promiscuous monitoring) is inconsistent with regard to VLAN
tagging, which causes problems with VLAN groups.
tagging, which causes problems with VLAN groups.
When you use Cisco IOS software, a VACL capture port or a SPAN target does not always
receive tagged packets even if it is configured for trunking.
receive tagged packets even if it is configured for trunking.
♦
When you use the MSFC, fast path switching of learned routes changes the behavior of
VACL captures and SPAN.
VACL captures and SPAN.
♦
•
Persistent store is limited.
•
Virtualization Requirements
Virtualization has these traffic capture requirements:
The virtual sensor must receive traffic that has 802.1q headers, other than traffic on the native VLAN
of the capture port.
of the capture port.
•
The sensor must see both directions of traffic in the same VLAN group in the same virtual sensor for
any given sensor.
any given sensor.
•
Configure
In this section, you are presented with the information to add, edit, and delete virtual sensors.
Add Virtual Sensors
Issue the virtual−sensor name command in service analysis engine submode in order to create a virtual
sensor. You assign policies (anomaly detection, event action rules, and signature definition) to the virtual
sensor. Then you assign interfaces (promiscuous, inline interface pairs, inline VLAN pairs, and VLAN
groups) to the virtual sensor. You must configure the inline interface pairs and VLAN pairs before you can
assign them to a virtual sensor. These options apply:
sensor. You assign policies (anomaly detection, event action rules, and signature definition) to the virtual
sensor. Then you assign interfaces (promiscuous, inline interface pairs, inline VLAN pairs, and VLAN
groups) to the virtual sensor. You must configure the inline interface pairs and VLAN pairs before you can
assign them to a virtual sensor. These options apply:
anomaly−detectionAnomaly detection parameters.
•