Cisco Systems CL-28826-01 Security Camera User Manual


  Open as PDF
of 2616
 
36-4
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 36 Managing IPS Device Interfaces
Understanding Interface Modes
ID field in the 802.1q header of each received packet with the ID of the egress VLAN on which the sensor
forwards the packet. The sensor drops all packets received on any VLANs that are not assigned to inline
VLAN pairs.
Notes:
You cannot use the default VLAN as one of the paired VLANs in an inline VLAN pair.
Inline VLAN pairs are not supported on IPS modules for routers or ASA devices.
Related Topics
Understanding Interfaces, page 36-1
Configuring Inline VLAN Pairs, page 36-14
VLAN Group Mode
You can divide each physical interface or inline interface into VLAN group subinterfaces, each of which
consists of a group of VLANs on that interface. If you configure multiple virtual sensors, each of them
can monitor one or more of these interfaces. This lets you apply multiple policies to the same sensor.
The advantage is that now you can use a sensor with only a few interfaces as if it had many interfaces.
Note You cannot divide physical interfaces that are in inline VLAN pairs into VLAN groups.
VLAN group subinterfaces associate a set of VLANs with a physical or inline interface. No VLAN can
be a member of more than one VLAN group subinterface. Each VLAN group subinterface is identified
by a number between 1 and 255. Subinterface 0 is a reserved subinterface number used to represent the
entire unvirtualized physical or logical interface. You cannot create, delete, or modify subinterface 0 and
no statistics are reported for it.
When you create a VLAN group, it is either promiscuous or inline:
Promiscuous VLAN group—If you configure a VLAN group on a physical interface, the VLAN
group is promiscuous, as described in Promiscuous Mode, page 36-2.
Inline VLAN group—If you configure a VLAN group on an inline interface pair (a logical
interface), the VLAN group is inline, as described in Inline Interface Mode, page 36-3.
Thus, VLAN groups augment the operation of promiscuous mode interfaces or inline interfaces by
confining their operation to selected VLANs. Once you assign a VLAN group to an interface (physical
or inline interface), the interface is no longer a plain promiscuous or inline interface pair and can only
be used for inline VLAN groups.
An unassigned VLAN group is maintained that contains all VLANs that are not specifically assigned to
another VLAN group. You cannot directly specify the VLANs that are in the unassigned group. When a
VLAN is added to or deleted from another VLAN group subinterface, the unassigned group is updated.
Packets in the native VLAN of an 802.1q trunk do not normally have 802.1q encapsulation headers to
identify the VLAN number to which the packets belong. A default VLAN variable is associated with
each physical interface and you should set this variable to the VLAN number of the native VLAN or to
0. The value 0 indicates that the native VLAN is either unknown or you do not care if it is specified. If
the default VLAN setting is 0, the following occurs:
Any alerts triggered by packets without 802.1q encapsulation have a VLAN value of 0 reported in
the alert.