This option lets you view system messages on a console connected to the serial port, even during the boot process. When you use this option, all output is directed to the serial port and any local keyboard and monitor connection is disabled. Therefore, the display-serial and no display-serial commands do not apply to those platforms. Step 3 Be sure to properly close a terminal session to avoid unauthorized access to the appliance.
If a terminal session is not stopped properly, that is, if it does not receive an exit 0 signal from the application that initiated the session, the terminal session can remain open. When terminal sessions are not stopped properly, authentication is not performed on the next session that is opened on the serial port. For the procedure for viewing appliance output, see Directing Output to a Serial Connection.
Use the display-serial command to direct all output to a serial connection. This lets you view system messages on a remote console using the serial port during the boot process.
The local console is not available as long as this option is enabled. Use the no display-serial command to reset the output to the local terminal.
The display-serial command does not apply to the following IPS platforms:. Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Direct the output to the serial port:. Step 3 Reset the output to the local console:. You are prompted to change them the first time you log in to the IDSM2. You can do this either by assigning an IP address directly to the IDS interface or by assigning an unnumbered loopback interface.
Step 1 Assign an IP address to the management port:. Assign an unnumbered loopback interface:. The IP address can be any address that is not used anywhere else in the network. Step 3 Enter your username and password at the login prompt:.
Step 4 Press Ctrl-Shift-6 , then x to get back to the router prompt if you sessioned to the router. It contains the following topics:. The lack of an external console port means that the initial bootup configuration is possible only through the router.
Note Before you install your application software or reimage the module, opening a session brings up the bootloader. After you install the software, opening a session brings up the application. Press Enter on a blank line to go back to the session prompt, which is also the router prompt.
You should only suspend a session to the router if you will be returning to the session after executing router commands. A suspended session leaves you logged in to the CLI. When you connect with the session command, you can go back to the same CLI without having to provide your username and password. Note Telnet clients vary. Step 1 Log in to the router.
Step 4 Exit, or suspend and close the module session. Type exit until the sensor login prompt appears. Failing to close a session properly makes it possible for others to exploit a connection that is still in place. Remember to type exit at the router prompt to close the Cisco IOS session completely. Release all keys, and then press x. Note When you are finished with a session, you need to return to the router to establish the association between a session the IPS application and the router interfaces you want to monitor.
Multiple contexts can share one virtual sensor, and when sharing, the contexts can have different mapped names aliases for the same virtual sensor. Step 2 Display the list of available virtual sensors. Step 3 Enter configuration mode. Step 4 Enter multiple mode. Step 5 Add three context modes to multiple mode. Step 6 Assign virtual sensors to the security contexts. Step 7 Configure MPF for each context. Note The following example shows context 3 c3.
Step 8 Confirm the configuration. This section describes how to configure the AIP SSM to receive IPS traffic from the adaptive security appliance inline or promiscuous mode , and contains the following sections:. The adaptive security appliance diverts packets to the AIP SSM just before the packet exits the egress interface or before VPN encryption occurs, if configured and after other firewall policies are applied.
Create or use an existing ACL. Use the class-map command to define the IPS traffic class. Use the policy-map command to create an IPS policy map by associating the traffic class with one or more actions. Use the service-policy command to create an IPS security policy by associating the policy map with one or more interfaces. A traffic class map contains a match command.
When a packet is matched against a class map, the match result is either a match or a no match. If no virtual sensor is specified, traffic is assigned to the default virtual sensor. Supported modes are single or multi mode, user context, config mode, and policy map class submode. No traffic can continue through the adaptive security appliance without first passing through and being inspected by the AIP SSM. This mode is the most secure because every packet is analyzed before being permitted through.
This mode, however, can affect throughput. This mode is less secure, but has little impact on traffic throughput. Unlike when in inline mode, the AIP SSM cannot block traffic by instructing the adaptive security appliance to block the traffic or by resetting a connection on the adaptive security appliance. If the AIP SSM fails, the adaptive security appliance cannot detect this failure because the heartbeats are still received.
For inline inspection of traffic, use IPS bypass mode to drop or permit traffic through. If the sensor name was mapped, the mapped name is used. Otherwise, the real sensor name is used. Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. Step 2 Enter configuration mode. Step 3 Create an IPS access list. Step 4 Define the IPS traffic class. Step 5 Define the IPS policy map.
Step 6 Identify the class map from Step 5 to which you want to assign an action. Step 8 Define the IPS service policy. Step 9 Verify the settings.
Additional Information. IPS Software version 6. Cisco IPS software version 7. IPS v7. IPS Software v7. Product Migration Options. For More Information. Milestone Definition Date End-of-Life Announcement Date The date the document that announces the end of sale and end of life of a product is distributed to the general public. June 30, End-of-Sale Date The last date to order the product through Cisco point-of-sale mechanisms.
March 26, Last Date of Support: The last date to receive service and support for the product. Refurbished units may be available in limited supply for sale in certain countries on a first-come, first-served basis until the Last Date of Support has been reached.
Service prices for Cisco products are subject to change after the product End of Sale date. The Cisco Takeback and Recycle program helps businesses dispose properly of surplus products that have reached their end of useful life.
0コメント