Filter
Top Products
36-8
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 36 Managing IPS Device Interfaces
Configuring Interfaces
Viewing a Summary of IPS Interface Configuration
The Summary tab of the Interfaces policy contains a table summarizing how you have configured the
sensing interfaces—the interfaces you have configured for promiscuous mode, the interfaces you have
configured as inline pairs, the interfaces you have configured as inline VLAN pairs, inline VLAN
groups, and promiscuous VLAN groups. The content of this table changes when you change your
interface configuration.
You can configure any single physical interface to run in promiscuous mode, inline pair mode, or inline
VLAN pair mode, but you cannot configure an interface in a combination of these modes.
Summary tab A summary of how you have configured the sensing interfaces—the
interfaces you have configured for promiscuous mode, the interfaces
you have configured as inline pairs, and the interfaces you have
configured as inline VLAN pairs.
For more information, see Viewing a Summary of IPS Interface
Configuration, page 36-8.
Bypass Mode The bypass mode for the device, which determines how the sensor
should handle inline mode traffic when the sensor processes are
temporarily stopped for upgrades or when the sensor monitoring
processes fail. This is a global setting that applies to all inline mode
interfaces on the device. Select the desired option; for a detailed
explanation of how each of these options affect inline traffic, see
Configuring Bypass Mode, page 36-12.
• Off (Always inspect inline traffic)—Disables bypass mode.
Traffic is always inspected, and if the monitoring process of the
sensor is down, traffic stops flowing.
• On (Never inspect inline traffic)—Traffic bypasses the Analysis
Engine and is never inspected.
• Auto (Bypass inspection when analysis engine is
stopped)—Traffic is inspected unless the monitoring process of
the sensor is down, in which case traffic continues to flow through
the sensor uninspected. This is the default. Auto mode is useful
during sensor upgrades to ensure that traffic is still flowing while
the sensor is being upgraded.
CDP Mode How to handle Cisco Discovery Protocol (CDP) packets. The CDP
configuration applies globally to all interfaces on the device, however,
it has an effect only on inline interfaces (both inline interfaces and
inline VLAN pairs). For more information, see Configuring CDP
Mode, page 36-13. Select the desired option:
• Forward CDP packets—To allow CDP packets to pass through
the sensor.
• Drop CDP packets—To have the sensor drop all CDP packets and
not allow them to pass through the sensor. This is the default
setting.
Table 36-1 IPS Interfaces Policy (Continued)
Element Description