Cisco IPS-4260-K9 - IPS Sensor 4260, IPS-4260 Installation Manual

CHAP T E R

6

Installing IPS-4260

This chapter describes IPS-4260 and how to install it. It also describes the accessories and how to install
them. This chapter contains the following sections:

• Introducing IPS-4260, page 6-1

• Supported PCI Cards, page 6-2

• Hardware Bypass, page 6-3

• Front and Back Panel Features, page 6-5

• Specifications, page 6-8

• Accessories, page 6-8

• Rack Mounting, page 6-9

• Installing IPS-4260, page 6-14

• Removing and Replacing the Chassis Cover, page 6-17

• Installing and Removing PCI Cards, page 6-19

• Installing and Removing the Power Supply, page 6-21

Caution The BIOS on IPS-4260 is specific to IPS-4260 and must only be upgraded under instructions from Cisco

with BIOS files obtained from the Cisco website. Installing a non-Cisco or third-party BIOS on
IPS-4260 voids the warranty. For more information on how to obtain instructions and BIOS files from
the Cisco website, see Obtaining Cisco IPS Software, page 11-1.

Introducing IPS-4260

IPS-4260 delivers 1 Gigabit of intrusion prevention performance. You can use IPS-4260 to protect both
Gigabit subnets and aggregated traffic traversing switches from multiple subnets. IPS-4260 is a
purpose-built device that provides support for both copper and fiber NIC environments providing
flexibility of deployment in any environment.

OL-8677-01

Installing Cisco Intrusion Prevention System Appliances and Modules 5.1

6-1

Supported PCI Cards

Note Only expansion slots 2 and 3 are supported at this time.

Chapter 6 Installing IPS-4260

IPS-4260 has two built-in Gigabit Ethernet network ports and six expansion slots. The network port
numbers increase from right to left and the expansion slot numbers increase from bottom to top and from
right to left as shown in Figure 6-4 on page 6-6. Slots 2 and 3 are PCI-Express connectors and the other
expansion slots are PCI-X slots. Slots 1 through 3 are full-height slots and slots 4 though 6 are
half-height slots. The built-in management port is called Management0/0 and the built-in sensing
interface is Gigabit-Ethernet0/1. For more information on sensor interfaces, see Sensor Interfaces,

page 1-3.

For improved reliability, IPS-4260 uses a flash device for storage rather than a hard-disk drive. IPS-4260
supports two optional network interface cards, the 2SX Fiber card, and the 4GE bypass interface card
that contains the hardware-bypass feature. Initially IPS-4260 supports only the built-in interfaces and
these two interface cards. For more information on the 4GE bypass interface card, see Hardware Bypass,

page 6-3.

IPS-4260 monitors greater than 1 Gbps of aggregate network traffic on multiple sensing interfaces and
is also inline ready. It replaces IDS-4250-XL. It supports both copper and fiber interfaces.

Note The 1-Gbps performance for IPS-4260 is based on the following conditions: 10,000 new TCP

connections per second, 100,000 HTTP transactions per second, average packet size of 450 bytes, and
the system running Cisco IPS 5.1 software. The 1-Gbps performance is traffic combined from all sensing
interfaces.

IPS-4260 ships with one power supply, but it supports redundant power supplies. For more information,
see Installing and Removing the Power Supply, page 6-21.

Note IPS-4260 operates in load-sharing mode when the optional redundant power supply is installed.

Supported PCI Cards

IPS-4260 supports the following PCI cards:

• 4GE bypass interface card (part number IPS-4GE-BP-INT=)

Provides four 10/100/1000BASE-T (4GE) monitoring interfaces (allowing up to 9 total monitoring
interfaces). The 4GE bypass interface card support hardware bypass.

Installing Cisco Intrusion Prevention System Appliances and Modules 5.1

6-2

OL-8677-01

Chapter 6 Installing IPS-4260

Figure 6-1 shows the 4GE bypass interface card.

Figure 6-1 4GE Bypass Interface Card

Hardware Bypass

153325

• 2SX Card (part number IPS-2SX-INT=)

Provides two 1000BASE-SX (fiber) monitoring interfaces (allowing up to 4 total fiber monitoring
interfaces). The 2SX interface cards does not support hardware bypass.

Figure 6-2 shows the 2SX card.

Figure 6-2 2SX Interface Card

Hardware Bypass

This section describes the 4GE bypass interface card and its configuration restrictions. For the procedure
for installing and removing the 4GE bypass interface card, see Installing and Removing PCI Cards,

page 6-19.

This section contains the following topics:

• 4GE Bypass Interface card, page 6-4

190474

• Hardware Bypass Configuration Restrictions, page 6-4

OL-8677-01

Installing Cisco Intrusion Prevention System Appliances and Modules 5.1

6-3

Hardware Bypass

4GE Bypass Interface card

IPS-4260 supports the 4-port GigabitEthernet card (part number IPS-4GE-BP-INT=) with hardware
bypass. This 4GE bypass interface card supports hardware bypass only between ports 0 and 1 and
between ports 2 and 3. Figure 6-1 on page 6-3 shows the 4GE bypass interface card.

Hardware bypass complements the existing software bypass feature in IPS 5.1. For more information on
software bypass mode, refer to Configuring Bypass Mode. The following conditions apply to hardware
bypass and software bypass on IPS-4260:

• When bypass is set to OFF, software bypass is not active.

For each inline interface for which hardware bypass is available, the component interfaces are set to
disable the fail-open capability. If SensorApp fails, the sensor is powered off, reset, or if the NIC
interface drivers fail or are unloaded, the paired interfaces enter the fail-closed state (no traffic flows
through inline interface or inline VLAN subinterfaces).

• When bypass is set to ON, software bypass is active.

Software bypass forwards packets between the paired physical interfaces in each inline interface and
between the paired VLANs in each inline VLAN subinterface. For each inline interface on which
hardware bypass is available, the component interfaces are set to standby mode. If the sensor is
powered off, reset, or if the NIC interfaces fail or are unloaded, those paired interfaces enter
fail-open state in hardware (traffic flows unimpeded through inline interface). Any other inline
interfaces enter fail-closed state.

• When bypass is set to AUTO (traffic flows without inspection), software bypass is activated if

sensorApp fails.

Chapter 6 Installing IPS-4260

For each inline interface on which hardware bypass is available, the component interfaces are set to
standby mode. If the sensor is powered off, reset, or if the NIC interfaces fail or are unloaded, those
paired interfaces enter fail-open state in hardware. Any other inline interfaces enter the fail-closed
state.

Note To test fail-over, set the bypass mode to ON or AUTO, create one or more inline interfaces and power

down the sensor and verify that traffic still flows through the inline path.

Hardware Bypass Configuration Restrictions

To use the hardware bypass feature on the 4GE bypass interface card, you must pair interfaces to support
the hardware design of the card. If you create an inline interface that pairs a hardware-bypass-capable
interface with an interface that violates one or more of the hardware-bypass configuration restrictions,
hardware bypass is deactivated on the inline interface and you receive a warning message similar to the
following:

Hardware bypass functionality is not available on Inline-interface pair0.
Physical-interface GigabitEthernet2/0 is capable of performing hardware bypass only when
paired with GigabitEthernet2/1, and both interfaces are enabled and configured with the
same speed and duplex settings.

Installing Cisco Intrusion Prevention System Appliances and Modules 5.1

6-4

OL-8677-01

Chapter 6 Installing IPS-4260

The following configuration restrictions apply to hardware bypass:

• The 4-port bypass card is only supported on IPS-4260.

• Fail-open hardware bypass only works on inline interfaces (interface pairs), not on inline VLAN

• Fail-open hardware bypass is available on an inline interface if all of the following conditions are

• Autonegotiation must be set on MDI/X switch ports connected to IPS-4260.

Front and Back Panel Features

pairs.

met:

–

Both of the physical interfaces support hardware bypass.

–

Both of the physical interfaces are on the same interface card.

–

The two physical interfaces are associated in hardware as a bypass pair.

–

The speed and duplex settings are identical on the physical interfaces.

–

Both of the interfaces are administratively enabled.

You must configure both the sensor ports and the switch ports for autonegotiation for hardware
bypass to work. The switch ports must support MDI/X, which automatically reverses the transmit
and receive lines if necessary to correct any cabling problems. The sensor is only guaranteed to
operate correctly with the switch if both of them are configured for identical speed and duplex,
which means that the sensor must be set for autonegotiation too.

Front and Back Panel Features

This section describes the IPS-4260 front and back panel features and indicators.

Figure 6-3 shows the front view of IPS-4260.

Figure 6-3 IPS-4260 Front Panel Features

There are three switches on the front panel of IPS-4260:

• Power—Toggles the system power.

• Reset—Resets the system.

• ID—Toggles the system ID indicator.

RESET

POWER

RESET

ID

Power

ID

NIC

ID NIC

ID

Flash

POWER STATUSFLASH

Status

Cisco IPS 4260 series

Intrusion Prevention Sensor

153095

OL-8677-01

Installing Cisco Intrusion Prevention System Appliances and Modules 5.1

6-5

Front and Back Panel Features

(

)

Table 6-1 describes the front panel indicators on IPS-4260.

Table 6-1 Front Panel Indicators

Indicator Description

ID (blue) Continuously lit when activated by the front panel ID switch.

NIC (green) Indicates activity on either the GigabitEthernetO/1 or MGMT interfaces.

Power (green) When continuously lit, indicates DC power. The indicator is off when power is

Flash (green/amber) Off when the compact flash device is not being accessed. Blinks green when the

Status (green/amber) Blinks green while the power-up diagnostics are running or the system is

Figure 6-4 shows the back view of the IPS-4260.

Chapter 6 Installing IPS-4260

turned off or the power source is disrupted.

compact flash device is being accessed. Solid amber when a device has failed.

booting. Solid green when the system has passed power-up diagnostics. Solid
amber when the power-up diagnostics have failed.

Figure 6-4 IPS-4260 Back Panel Features

6

Mouse

connector

(not supported)

Keyboard

connector

(not supported)

Console

port

Ethernet 0/1

GE 0/1CONSOLE

Management

Gigabit

5

4

MGMT

0/0

connector

not supported

USB ports
(not used)

Video

Sensing interface

expansion slots

3

2

1

Indicator

Powe r

supply 2

light

Powe r

connector

153094

Powe r

supply 1

Installing Cisco Intrusion Prevention System Appliances and Modules 5.1

6-6

OL-8677-01

Chapter 6 Installing IPS-4260

Figure 6-5 shows the two built-in Ethernet ports, which have two indicators per port.

Figure 6-5 Ethernet Port Indicators

Front and Back Panel Features

6

5

4

LNK

SPD indicator

"SPD"

SPD

GE 0/1CONSOLE

LNK

SPD

MGMT

Link/ACT indicator

"LINK"

Diagnostic

(for TAC use)

Table 6-2 lists the back panel indicators.

Table 6-2 Back Panel Indicators

Indicator Color Description

Left side Green solid

Green blinking

Right side Not lit

Green
Amber

Physical link
Network activity

10 Mbps
100 Mbps
1000 Mbps

SPD indicator

indicators

System ID

indicator

Link/ACT indicator

153308

Status

indicator

OL-8677-01

Table 6-3 lists the power supply indicator.

Table 6-3 Power Supply Indicators

Color Description

Off No AC power to all power supplies.

Green solid Output on and ok.

Green blinking AC present, only 5Vsb on (power supply off).

Amber No AC power to this power supply (for 1+1 configuration)

or
power supply critical event causing a shutdown: failure, fuse blown (1+1
only), OCP 12 V, OVP 12 V, or fan failed.

Amber blinking Power supply warning events where the power supply continues to operate:

high temperature, high power/high current, or slow fan.

Installing Cisco Intrusion Prevention System Appliances and Modules 5.1

6-7