59-22
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 59 Configuring Router Interfaces
IPS Module Interface Settings on Cisco IOS Routers
IPS Module Interface Settings on Cisco IOS Routers
On some routers, you can install IPS modules such as the Cisco Intrusion Prevention System Advanced
Integration Module or Network Module. When installed and active, you must configure the IPS Module
interface settings policy to define the following:
The name of the interface between the module and the router.
The failure mode of the module. If the module fails, you can configure it to allow all traffic or to
deny all traffic.
The router interfaces to monitor. You can name specific interfaces or use interface roles to cover
more than one interface at a time. For example, if you have defined an All-Ethernets interface role,
you can define identical monitoring settings for every Ethernet interface on the device with a single
definition. See Understanding Interface Role Objects, page 6-67.
Tip After you have defined an IPS Module interface settings policy, you can share the policy and assign it to
other devices. This provides a convenient method for configuring multiple devices with identical
settings. See Working with Shared Policies in Device View or the Site-to-Site VPN Manager, page 5-34.
Before You Begin
Define basic interface settings. See Basic Interface Settings on Cisco IOS Routers, page59-1.
Step 1 Do one of the following:
(Device view) Select Interfaces > Settings > IPS Module from the Policy selector.
(Policy view) Select Router Interfaces > Settings > IPS Module from the Policy Type selector.
Select an existing policy or create a new one.
The IPS Module Interface Settings page is displayed. See IPS Module Interface Settings Page,
page 59-22 for an explanation of the fields on this page.
Step 2 In the IPS Module Interface Settings fields, enter the name of the IPS interface (such as IDS-Sensor1/0)
or click Select to select it from a list. Also determine whether you want to allow all traffic if the module
fails (fail open) or to deny all traffic (fail closed).
Step 3 Identify the router interfaces that the module should monitor. Click the Add button below the IPS
Module Service Module Monitoring Settings table to add interfaces to the list, or select an interface and
click the Edit button to change the settings for an existing interface. Use the IPS Monitoring Information
dialog box to define the interface name or role, monitoring mode, and access list (if any). For more
information, see IPS Monitoring Information Dialog Box, page59-23.
IPS Module Interface Settings Page
Use the IPS Module Interface Settings page to define the settings on the Cisco Intrusion Prevention
System Advanced Integration Module or Network Module. The module must be running IPS 6.0 or later.
You can define the fail mode for the IPS interface, and the interfaces that the module should monitor.
Configure this policy only if the router hosts an IPS module.