37-3
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter37 Configuring Virtual Sensors
Understanding the Virtual Sensor
Advantages and Restrictions of Virtualization
An advantage of using virtual sensors is that you can operate more than one virtual sensor on one
appliance while configuring each virtual sensor differently with regard to signature behavior and traffic
feed. For example, if you want to create a policy for a data center and a second much different policy for
the campus network, yet run both policies on the same hardware device, you can configure separate
virtual sensors to implement these policies.
Virtualization has the following advantages:
You can apply different configurations to different sets of traffic.
You can monitor two networks with overlapping IP spaces with one sensor.
You can monitor both inside and outside a firewall or NAT device.
Virtualization has the following restrictions:
You must assign both sides of asymmetric traffic to the same virtual sensor.
Using VACL capture or SPAN (promiscuous monitoring) is inconsistent with regard to VLAN
tagging, which causes problems with VLAN groups.
When using Cisco IOS software, a VACL capture port or a SPAN target does not always receive
tagged packets even if it is configured for trunking.
When using the MSFC, fast path switching of learned routes changes the behavior of VACL
captures and SPAN.
Persistent store is limited.
Not all IPS sensors support multiple virtual sensors. The Virtual Sensors policy appears for all IPS
appliances and service modules, because you must use it to assign interfaces to the base vs0 sensor.
If the Add button in the policy is disabled for a device, and you have not configured user-defined
virtual sensors, then the device does not support virtualization. Examples of devices that do not
support virtualization include the Cisco IPS 4215, NM-CIDS, AIM-IPS, NME-IPS, and AIP-SSC.
IDSM2 supports virtualization, but it does not support VLAN groups or inline interface pairs.
You must use IPS 6.0+ software. Older software versions do not support virtualization.
Cisco IOS IPS devices do not support virtualization. Use the IPS > Interface Rules policy to specify
the interfaces that IPS should monitor.
Virtualization has the following traffic capture requirements:
The virtual sensor must receive traffic that has 802.1q headers (other than traffic on the native VLAN
of the capture port).
The sensor must see both directions of traffic in the same VLAN group in the same virtual sensor
for any given sensor.
Related Topics
Understanding the Virtual Sensor, page37-1
Defining A Virtual Sensor, page37-5
Inline TCP Session Tracking Mode
When you choose to modify packets inline, if the packets from a stream are seen twice by the Normalizer
engine, it cannot properly track the stream state and often the stream is dropped. This situation occurs
most often when a stream is routed through multiple VLANs or interfaces that are being monitored by