36-13
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter36 Managing IPS Device Interfaces
Configuring Interfaces
If the monitoring process of the sensor is down, traffic bypasses the sensor until the sensor is running
again. The sensor then inspects the traffic. Auto mode is useful during sensor upgrades to ensure
that traffic is still flowing while the sensor is being upgraded. Auto mode also helps to ensure traffic
continues to pass through the sensor if the monitoring process fails.
Configuring CDP Mode
You can configure the IPS sensor to enable or disable the forwarding of Cisco Discovery Protocol (CDP)
packets. The CDP configuration applies globally to all interfaces on the device, however, it has an effect
only on inline interfaces (both inline interfaces and inline VLAN pairs).
Cisco Discovery Protocol is a media- and protocol-independent device-discovery protocol that runs on
all Cisco-manufactured equipment, including routers, access servers, bridges, and switches. Using CDP,
a device can advertise its existence to other devices and receive information about other devices on the
same LAN or on the remote side of a WAN. CDP runs on all media that support SNAP, including LANs,
Frame Relay, and ATM media.
Tip The CDP Mode setting is not available on all IPS appliances and service modules. If the CDP Mode field
does not appear on the Interfaces policy, the setting does not apply to the device you are configuring.
To change the CDP mode setting on a device, follow these steps:
Step 1 (Device view) Select the Interfaces policy from the Policy selector.
Step 2 In the CDP Mode field at the bottom of the policy, select the desired option:
Forward CDP packets—To allow CDP packets to pass through the sensor.
Drop CDP packets—To have the sensor drop all CDP packets and not allow them to pass through
the sensor. This is the default setting.
Configuring Inline Interface Pairs
You can pair interfaces on your sensor if your sensor is capable of inline monitoring. For more
information about inline pairs, see Inline Interface Mode, page 36-3.
Tip IPS modules for routers and ASA devices do not need an inline pair for monitoring. You only need to
add the physical interface to a virtual sensor.
Related Topics
Understanding Interfaces, page 36-1
Configuring Bypass Mode, page 36-12
Configuring CDP Mode, page 36-13
Configuring Physical Interfaces, page 36-10
Configuring VLAN Groups, page 36-15