Cisco Cisco IPS 4255 Sensor 백서

White Paper

Page 5 of 6

context for network A-2. The opposite setup is done for Cisco ASA 2. Packet flow then looks like

Figure 4.

Figure 4. Packet Flow

Since each appliance context pair only handles traffic that it is primary for, each appliance

context’s state tables are kept synchronized and up to date. None of this really matters to the AIP-

SSM because even in this deployment, the AIP configuration portion is relatively easy. Once the

modules are inserted and initialized, an important decision needs to be made as to whether one or

two virtual sensor policies should be created and used due to the fact that the Cisco ASA

appliances are using multiple virtual contexts. If one policy is desired, all packets from both

contexts on the appliance will be sent to that same virtual sensor. If multiple virtual sensors are

created, the packets from each context can go to their own virtual sensor for analysis. If the

decision is made to create multiple virtual sensor “policies” on one AIP-SSM, a similar

configuration should be created on the other AIP-SSM to match/mirror the configuration of the

other AIP-SSM. Other than virtual sensor creation decisions, the rest of the configuration is fairly

straightforward. From the AIP-SSM’s standpoint, this deployment is no different from the active-

passive in that all packets for a flow traverse the same appliance and context, so complete flow

visibility is maintained. If a failover event occurs, session state is maintained by the appliance and

new and ongoing sessions get passed to the “backup” AIP-SSM without issue. That AIP-SSM

starts analysis of the flows as it sees them.