Previous Page Next Page

Configuring IPS Inline Interface Pair Mode

Based on Figure 20-12, Example 20-4 shows a basic configuration example that enables an inline interface mode on the sensor appliance between two routed devices. The inline interface pair is assigned to the default virtual sensor vs0.

Figure 20-12. IPS Inline Interface Pair Mode

[View full size image]


IPS interface GigabitEthernet2/0 and GigabitEthernet2/1 are being used for pairing in this example. Note that both routers are on the same Layer 3 segment, but are separated by two different Layer 2 VLANs. Note that basic IPS initializing parameters have been omitted from this sample template. Refer to Example 20-1 for basic IPS parameters.

If the paired interfaces are connected to the same switch, be sure to configure them as access ports with different access VLANs for the two ports. Otherwise, traffic will not flow through the inline interface.

Example 20-4. Configuring IPS Inline Interface Mode on IPS Appliance

Code View:
IPS# show configuration
! ------------------------------
! Current configuration last modified Mon Jul 09 11:05:35 2007
! ------------------------------
! Version 6.0(1)
! Host:
!     Realm Keys          key1.0
! Signature Definition:
!     Signature Update    S263.0   2006-12-18
!     Virus Update        V1.2     2005-11-24
! ------------------------------
service interface
physical-interfaces GigabitEthernet2/0
admin-state enabled
exit
physical-interfaces GigabitEthernet2/1
admin-state enabled
exit
inline-interfaces MyPair
interface1 GigabitEthernet2/0
interface2 GigabitEthernet2/1
! ------------------------------
<..>
! ------------------------------
service analysis-engine
virtual-sensor vs0
logical-interface MyPair
<..>

Based on Figure 20-12, Examples 20-5 and 20-6 show the sample configuration output from the two routers (R1 and R2) and a switchport configuration. Note that the switch ports must be configured as access ports.

Example 20-5. Configuring Two Routers (R1 and R2) on the Same Layer 3 Segment

R1# show run interface Ethernet0/0
Building configuration...
Current configuration : 79 bytes
!
interface Ethernet0/0
 ip address 172.16.1.1 255.255.255.0
end
<..>
R2# show run interface Ethernet0/0
Building configuration...
Current configuration : 95 bytes
!
interface Ethernet0/0
 ip address 172.16.1.2 255.255.255.0
end

Example 20-6. Configuring Switch Ports for IPS Inline Interface on Separate Layer 2 VLANs

Code View:
Switch# show run interface FastEthernet0/1
Building configuration...
Current configuration : 84 bytes
!
interface FastEthernet0/1
 switchport access vlan 10
 switchport mode access
end
<..>
Switch# show run interface FastEthernet0/2
Building configuration...
Current configuration : 84 bytes
!
interface FastEthernet0/2
 switchport access vlan 20
 switchport mode access
end
<..>
Switch# show run interface FastEthernet0/10
Building configuration...
Current configuration : 85 bytes
!
interface FastEthernet0/10
 switchport access vlan 10
 switchport mode access
end
<..>
Switch# show run interface FastEthernet0/20
Building configuration...
Current configuration : 85 bytes
!
interface FastEthernet0/20
 switchport access vlan 20
 switchport mode access
end

Example 20-7 shows a sample output from the IPS sensor appliance that verifies the interface configuration. Note that the interface function is "sensing" and the inline mode is "paired" with another interface, indicating that this is an inline interface mode setup.

Example 20-7. Verifying IPS Inline Interface Settings

Code View:
IPS# show interfaces GigabitEthernet2/0
MAC statistics from interface GigabitEthernet2/0
   Interface function = Sensing interface
   Description =
   Media Type = TX
   Default Vlan = 0
   Inline Mode = Paired with interface GigabitEthernet2/1
   Pair Status = Up
   Hardware Bypass Capable = Yes when paired with GigabitEthernet2/1
   Hardware Bypass Paired = Yes
   Link Status = Up
   Link Speed = N/A
   Link Duplex = N/A
   Missed Packet Percentage = 0
   Total Packets Received = 208
   Total Bytes Received = 18971
   Total Multicast Packets Received = 0
   Total Broadcast Packets Received = 0
   Total Jumbo Packets Received = 0
   Total Undersize Packets Received = 0
   Total Receive Errors = 0
   Total Receive FIFO Overruns = 0
   Total Packets Transmitted = 601
   Total Bytes Transmitted = 37866
   Total Multicast Packets Transmitted = 0
   Total Broadcast Packets Transmitted = 0
   Total Jumbo Packets Transmitted = 0
   Total Undersize Packets Transmitted = 0
   Total Transmit Errors = 0
   Total Transmit FIFO Overruns = 0
<..>
IPS# show interfaces GigabitEthernet2/1
MAC statistics from interface GigabitEthernet2/1
   Interface function = Sensing interface
   Description =
   Media Type = TX
   Default Vlan = 0
   Inline Mode = Paired with interface GigabitEthernet2/0
   Pair Status = Up
   Hardware Bypass Capable = Yes when paired with GigabitEthernet2/0
   Hardware Bypass Paired = Yes
   Link Status = Up
   Link Speed = N/A
   Link Duplex = N/A
   Missed Packet Percentage = 0
   Total Packets Received = 1787
   Total Bytes Received = 129055
   Total Multicast Packets Received = 0
   Total Broadcast Packets Received = 0
   Total Jumbo Packets Received = 0
   Total Undersize Packets Received = 0
   Total Receive Errors = 0
   Total Receive FIFO Overruns = 0
   Total Packets Transmitted = 159
   Total Bytes Transmitted = 9972
   Total Multicast Packets Transmitted = 0
   Total Broadcast Packets Transmitted = 0
   Total Jumbo Packets Transmitted = 0
   Total Undersize Packets Transmitted = 0
   Total Transmit Errors = 0
   Total Transmit FIFO Overruns = 0

Previous Page Next Page