4-27
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
OL-29168-01
Chapter4 Configuring Interfaces
Configuring VLAN Group Mode
You can divide each physical interface or inline interface into VLAN group subinterfaces, each of which
consists of a group of VLANs on that interface. Analysis Engine supp orts multiple virtual sensors, each
of which can monitor one or more of these interfaces. This lets you apply multiple policies to the same
sensor. The advantage is that now you can use a sensor with only a few interfaces as if it had many
interfaces.
Note
You cannot divide physical interfaces that are in inline VLAN pairs into VLAN groups.
VLAN group subinterfaces associate a set of VLANs with a physical or inline interface. No VLAN can
be a member of more than one VLAN group subinterface. Each VL AN group subinterface is identified
by a number between 1 and 255. Subinterface 0 is a reserved subin terface number used to represent the
entire unvirtualized physical or logical interface. You cannot create, delete, or modify subinterface 0 and
no statistics are reported for it.
An unassigned VLAN group is maintained that contains all VLANs that are not specifically assigned to
another VLAN group. You cannot directly specify the VLANs that are in the unassigned grou p. When a
VLAN is added to or deleted from another VLAN group subinterface, the u nassigned group is updated.
Packets in the native VLAN of an 802.1q trunk do not normally have 802.1q encapsu lation headers to
identify the VLAN number to which the packets belong. A default VLAN variable is a ssociated with
each physical interface and you should set this variable to the VLAN number of the native VLAN or to 0.
The value 0 indicates that the native VLAN is either unknown or you do not care if it is specified. If the
default VLAN setting is 0, the following occurs:
Any alerts triggered by packets without 802.1q encapsulation have a VLAN value of 0 reported in
the alert.
Non-802.1q encapsulated traffic is associated with the unassigned VLAN group and it is not
possible to assign the native VLAN to any other VLAN group.
Note
You can configure a port on a switch as either an access port or a trunk port. On an access port, all traffic
is in a single VLAN is called the access VLAN. On a trunk port, multiple VLANs can be carried over
the port, and each packet has a special header attached called the 802.1q header that contains the VLAN
ID. This header is commonly referred as the VLAN tag. However, a trunk port has a special VLAN called
the native VLAN. Packets in the native VLAN do not have the 802.1q headers attached.
Deploying VLAN Groups
Because a VLAN group of an inline pair does not translate the VLAN ID, an inline paired interface must
exist between two switches to use VLAN groups on a logical interface. For an appliance, you can connect
the two pairs to the same switch, make them access ports, and then set the access VLANs for the two
ports differently. In this configuration, the sensor connects between two VLANs, because each of the
two ports is in access mode and carries only one VLAN. In this case the two ports must be in different
VLANs, and the sensor bridges the two VLANs, monitori ng any traffic that flows between the two
VLANs.
You can also connect appliances between two switches. There are two variations. In the first variation,
the two ports are configured as access ports, so they carry a single VLAN. In this way, the sensor bridges
a single VLAN between the two switches.