36-14
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 36 Managing IPS Device Interfaces
Configuring Interfaces
Defining A Virtual Sensor, page 37-5
Editing Policies for a Virtual Sensor, page37-9
Assigning Interfaces to Virtual Sensors, page37-4
Step 1 (Device view) Select Interfaces from the Policy selector, then click the Inline Pairs tab.
Step 2 Do one of the following:
To add a pair, click the Add Row button. The Add Interface Pair dialog box opens.
To edit a pair, select it and click the Edit Row button. The Edit Interface Pair dialog box opens.
Tip You can also delete a pair by selecting it and clicking the Delete Row button. You cannot delete
an inline pair if there is an inline VLAN group. First delete the inline VLAN group from the
VLAN Groups tab, and then delete the inline pair.
Step 3 In the Add or Edit Inline Pairs dialog box, configure the following options:
Inline Interface Name—The name you want to give to this inline pair. The name cannot be longer
than 32 characters; alphanumeric and underscore characters are allowed. You cannot edit this name
after you create the pair.
Interface 1 and 2—Select the two physical interfaces that you want to form a pair. The lists include
only those interfaces that are defined on the Physical Interfaces tab and that are not already part of
an inline pair, VLAN pair, or VLAN group.
Description—An optional description for the pair.
Step 4 Click OK to save your changes.
Configuring Inline VLAN Pairs
Use the VLAN Pairs tab of the IPS Interfaces policy to configure the VLAN pairs for physical interfaces.
The summary table displays the existing VLAN pairs for each physical interface. You can create multiple
VLAN pairs on a single physical interface. For more information about inline VLAN pair mode, see
Inline VLAN Pair Mode, page 36-3.
Tips
You cannot create a VLAN pair for an interface if it is already part of an inline interface pair; create
VLAN groups for inline interface pairs.
To create an inline VLAN pair for an interface that is in promiscuous mode and assigned to a virtual
sensor, you must first remove the interface from the virtual sensor (using the Virtual Sensors policy)
and then create the inline VLAN pair.
You cannot use the default VLAN as one of the paired VLANs in an inline VLAN pair.
If your sensor does not support inline VLAN pairs, the VLAN Pairs pane is not displayed. IPS
modules on routers and ASA devices do not support inline VLAN pairs.
When using inline VLAN pairs, you should configure UniDirectional Link Detection (UDLD) on
the connected switch that is hosting the VLANs. UDLD can help switches prevent spanning-tree
forwarding loops and single direction links. For detailed information, see Configuring UDLD in
Installing and Using Intrusion Prevention System Device Manager.