Inline Set Configuration – Cisco IPS-Only Deployment in Inline Mode
Inline Set Configuration
Now, begin the second part of the configuration—adding the interface pair to an inline set—by following these steps:
Step 1. On the Device Management page of your selected threat defense, go to the Inline Sets tab and click the Add Inline Set button. The Add Inline Set window appears.
Step 2. Under the General tab, give a name to the inline set, select an interface pair, and add it to the inline set (see Figure 6-10).
Figure 6-10 Inline Set Configuration Window
Step 3. Optionally, under the Advanced tab, enable the Propagate Link State and Snort Fail Open features (both Busy and Down), as shown in Figure 6-11. These features allow a threat defense to continue its traffic flow in case of an operational failure, thus avoiding a network outage. Following are some failure scenarios:
Figure 6-11 Advanced Settings of Inline Set
- Propagate Link State: If one of the links of an inline pair goes down, the second link can stay up and able to receive traffic. However, the threat defense cannot transfer traffic through an interface that has no link. The Propagate Link State feature automatically brings the remaining interface down if one of the interfaces in an inline pair goes down. This feature improves routing convergence time by not sending traffic through a failed link.
- Snort Fail Open (Busy): When the interface buffer is full and drops traffic, this option allows a threat defense to pass traffic without inspection.
- Snort Fail Open (Down): When Snort—the inspection engine of threat defense—goes down due to a restart, this fail open feature allows a threat defense to continue its traffic flow through the device without inspection.
Step 4. Click OK. A warning message appears, warning about the removal of existing settings from the interfaces (see Figure 6-11).
Step 5. Select Yes to accept the configuration changes. You return to the Inline Sets page. Click Save to save the configurations (see Figure 6-12).
Figure 6-12 An Inline Set Showing the Selection of Interface Pairs
Step 6. Finally, go to Deploy > Deployment, select your threat defense, and deploy the configurations to the threat defense.