Installing the Cisco Intrusion Prevention System Security Services Processor 7.1
Introducing the IPS SSP

Table Of Contents

Introducing the Cisco IPS SSP

Introducing the Cisco IPS SSP

Specifications

Hardware and Software Requirements

Front Panel Features

Memory Requirements

SFP/SFP+ Modules


Introducing the Cisco IPS SSP



Note The Cisco ASA 5585-X with the IPS SSP is currently the only platform that supports Cisco IPS 7.1. No other Cisco IPS sensors currently support IPS 7.1.



Note The Cisco ASA 5585-X with the IPS SSP is supported in ASA 8.2(4.4) and later as well as ASA 8.4(2) and later. It is not supported in ASA 8.3(x).


This chapter describes the Cisco IPS SSP, and includes the following sections:

Introducing the Cisco IPS SSP

Specifications

Hardware and Software Requirements

Front Panel Features

Memory Requirements

SFP/SFP+ Modules


Note Read through the entire guide before beginning any of the installation procedures.



Warning Only trained and qualified personnel should install, replace, or service this equipment. Statement 49

Caution Read the safety warnings in the Regulatory Compliance and Safety Information for the Cisco ASA 5585-X Adaptive Security Appliance document and follow proper safety procedures when performing the steps in this guide.

Introducing the Cisco IPS SSP

You can install the Cisco Intrusion Prevention System Security Services Processor (IPS SSP) in the ASA 5585-X adaptive security appliance. The ASA 5585-X is a 2RU, two-slot chassis. The Security Services Processor (SSP) resides in slot 0 (the bottom slot) and the IPS SSP resides in slot 1 (the top slot). All port numbers are numbered from right to left beginning with 0.


Note The ASA 5585-X supports dual firewall mode for the ASA 5585-X SSP-40 and ASA 5585-X SSP-60 models. The SSPs must match; that is, SSP-40s together and SSP-60s together in one chassis.


The ASA 5585-X series with IPS SSP comes in four models:

ASA 5585-X SSP-10 with IPS SSP-10

ASA 5585-X SSP-20 with IPS SSP-20

ASA 5585-X SSP-40 with IPS SSP-40

ASA 5585-X SSP-60 with IPS SSP-60

In addition to world-class performance, the ASA 5585-X deploys encrypted traffic inspection, port density (up to 20 interfaces depending on the model), and feature performance matching, that is, performance parity between firewall and IPS functions. All ASA 5585-X series adaptive security appliances ship with a core SSP; the IPS SSP is optional. You must have the core SSP to run the IPS SSP.


Note Online insertion and removal (OIR) of the SSP and IPS SSP is not supported at this time. SFP/SFP+, power supply module, and fan module OIR is supported.


IDM

The IPS SSP supports the Intrusion Prevention System Device Manager (IDM) 7.1. IDM delivers security management and monitoring through an intuitive, easy-to-use web-based management interface. IDM is a Java Web Start application that enables you to configure and manage your IPS SSP. IDM is bundled with IPS 7.1. You can access it through Internet Explorer or Firefox web browsers.

IME

The Intrusion Prevention System Manager Express (IME) 7.1 also supports the IPS SSP. IME is a network management application that provides system health, events, and collaboration monitoring in addition to reporting and configuration for up to ten sensors. IME monitors sensor health using customizable dashboards and provides security alerts through RSS feed integration from the Cisco Security Intelligence Operations site. It monitors global correlation data, which you can view in events and reports. It monitors events and lets you sort views by filtering, grouping, and colorization. IME also supports tools such, as ping, trace route, DNS lookup, and whois lookup for selected events. It contains a flexible reporting network. It embeds the IDM configuration component to allow for a seamless integration between the monitoring and configuration of IPS devices. Within IME you can set up your sensors, configure policies, monitor IPS events, and generate reports. IME works in single application mode—the entire application is installed on one system and you manage everything from that system.

ASA 5585-X SSP-10 With IPS SSP-10

The ASA 5585-X SSP-10 with IPS SSP-10 provides firewall, VPN support, intrusion prevention system protection, and 20 interfaces (2 SFP/SFP+ and 18 copper Gigabit Ethernet). The SSP-10 with IPS SSP-10 has one power supply module and one fan module. You can replace the fan module with another power supply module for a redundant power supply configuration. The SSP-10 with IPS SSP-10 has one CPU, three DIMM modules, one embedded crypto accelerator, and one dual-port 10-GB uplink for the SFP/SFP+ interfaces.

ASA 5585-X SSP-20 With IPS SSP-20

The ASA 5585-X SSP-20 with IPS SSP-20 provides firewall, VPN support, intrusion prevention system protection, and 20 interfaces (2 SFP/SFP+ and 18 copper Gigabit Ethernet). The SSP-20 with IPS SSP-20 has one power supply module and one fan module. You can replace the fan module with another power supply module for a redundant power supply configuration. The SSP-20 with IPS SSP-20 has one CPU, 6 DIMM modules, two embedded crypto accelerators, and one dual-port 10-GB uplink for the SFP/SFP+ interfaces.

ASA 5585-X SSP-40 With IPS SSP-40

The ASA 5585-X SSP-40 with IPS SSP-40 provides firewall, VPN support, intrusion prevention system protection, and 20 interfaces (4 SFP/SFP+ and 16 copper Gigabit Ethernet). The SSP-40 with IPS SSP-40 has one power supply module and one fan module. You can replace the fan module with another power supply module for a redundant power supply configuration. The SSP-40 with IPS SSP-40 has two CPUs, 6 DIMM modules, three embedded crypto accelerators, and two dual-port 10-GB uplinks for the SFP/SFP+ interfaces.

ASA 5585-X SSP-60 With IPS SSP-60

The ASA 5585-X SSP-60 with IPS SSP-60 provides firewall, VPN support, intrusion prevention system protection, and 20 interfaces (4 SFP/SFP+ and 16 copper Gigabit Ethernet). The SSP-60 with IPS SSP-60 ships with two power supply modules; however, the SSP-60 with IPS SSP-60 can function with only one power supply module. Although the SSP-60 with IPS SSP-60 can also operate with only one power supply module, we recommend that you install two power supply modules for extended reliability since the power supply modules operate in load-sharing mode. If one fails in this configuration, the other power supply module can still handle the full load until the failed power supply module is replaced. The SSP-60 with IPS SSP-60 has two CPUs, 12 DIMM modules, four embedded crypto accelerators, and two dual-port 10-GB uplinks for the SFP/SFP+ interfaces.


Warning If you remove a power supply or fan module, replace it immediately to prevent service disruption.

Figure 1-1 shows the IPS SSP.

Figure 1-1 IPS SSP

For More Information

For detailed information on IDM, refer to Installing and Using Cisco Intrusion Prevention System Device Manager 7.1.

For detailed information on IME, refer to Installing and Using Cisco Intrusion Prevention System Manager Express 7.1.

For detailed information on the ASA 5585-X, refer to Cisco ASA 5585-X Adaptive Security Appliance Hardware Installation Guide.

Specifications

Table 1-1 lists the specifications for the IPS SSP.

Table 1-1 IPS SSP Specifications 

Height

1.70 in

Width

17.00 in

Depth

15.50 in

Weight

11.50 lb

Temperature

Operating 32 to 104°F (0 to 40°C)
Nonoperating -40°F to 167°F (-40°C to 75°C)

Relative humidity (noncondensing)

Operating 10% to 90%
Nonoperating 5% to 95%


Hardware and Software Requirements

The IPS SSP has the following hardware and software requirements:

Cisco ASA 5585-X adaptive security appliance

ASA 5585-X SSP-10 with IPS SSP-10

ASA 5585-X SSP-20 with IPS SSP-20

ASA 5585-X SSP-40 with IPS SSP-40

ASA 5585-X SSP-60 with IPS SSP-60

Cisco Adaptive Security Appliance Software 8.2.4 or later

Cisco Intrusion Prevention System Software 7.1(1) or later

3DES-enabled

Front Panel Features

This section describes the front panel features and indicators of the IPS SSP.

Front Panel Features

Figure 1-2 shows the front view of the IPS SSP-10 and IPS SSP-20.


Note The illustration shows the IPS SSP-10, but it applies to both the -10 and -20 models.


Figure 1-2 IPS SSP-10 Front Panel View

1

IPS SSP (Slot 1)

9

Management 0/0
(GigabitEthernet RJ45)

2

SSP (Slot 0)

10

USB Port

3

SSP/IPS SSP Removal Screws

11

USB Port

4

Reserved Bays for Hard-Disk Drives1

12

Front Panel Indicators

5

TenGigabitEthernet 0/1
(10-GB fiber, SFP, or SFP+)

13

Auxiliary Port (RJ45)

6

TenGigabitEthernet 0/0
(1-GB fiber, SFP, or SFP+)

14

Console Port (RJ45)

7

GigabitEthernet 1/0 through 1/7, from right to left (1-GB copper, RJ45)

15

Eject2

8

Management 0/1
(GigabitEthernet RJ45)

   

1 Hard-disk drives are not supported at this time. The hard-disk drive bays are empty.

2 Reserved for future use for OIR.


Figure 1-3 shows the front view of IPS SSP-40 and IPS SSP-60.


Note The illustration shows the IPS SSP-40, but it applies to both the -40 and the -60 models.


Figure 1-3 IPS SSP-40 Front Panel View

1

IPS SSP (slot 1)

10

Management 1/1
(GigabitEthernet RJ45)

2

SSP (slot 0)

11

Management 1/0
(GigabitEthernet RJ45)

3

SSP/IPS SSP removal screws

12

USB port

4

Reserved bays for hard-disk drives1

13

USB port

5

TenGigabitEthernet 1/9 (
(10-GB fiber, SFP, or SFP+)

14

Front panel indicators

6

TenGigabitEthernet 1/8
(1-GB fiber, SFP, or SFP+)

15

Auxiliary port (RJ45)

7

TenGigabitEthernet 1/7
(10-GB fiber, SFP, or SFP+)

16

Console port (RJ45)

8

TenGigabitEthernet 0/6 (SSP in slot 2)
TenGigabitEthernet 1/6 (IPS SSP in slot 1)
(1-GB fiber, SFP, or SFP+)

17

Eject2

9

GigabitEthernet 0/0 through 0/5 (SSP in slot 2)
GigabitEthernet 1/0 through 1/5 (IPS SSP in slot 1)
(from right to left, 1-GB copper, RJ45)

   

1 Hard-disk drives are not supported at this time. The hard-disk drive bays are empty.

2 Reserved for future use for OIR.


Figure 1-4 shows the front panel indicators.

Figure 1-4 IPS SSP Front Panel Indicators

1

PWR

2

BOOT

3

ALARM

4

ACT

5

VPN

6

PS1

7

PS0

8

HDD1

9

HDD2

   

Table 1-2 describes the front panel indicators on the IPS SSP.

Table 1-2 IPS SSP Front Panel Indicators 

Indicator
Description

PWR

Indicates whether the system is off or on:

Off—No power.

Green—System has power.

BOOT

Indicates how the power-up diagnostics are proceeding:

Flashing green—Power-up diagnostics are running or the system is booting.

Green—System has passed power-up diagnostics.

Amber—Power-up diagnostics failed.

ALARM1

Indicates whether a component has failed:

Off—No alarm.

Flashing yellow—Critical alarm.

Major failure of hardware component or software module, temperature over the limit, power out of tolerance, or OIR is ready to remove the module.2

ACT

Indicates the status of an HA pair:

Green—Status of an HA pair.

VPN

Indicates whether a VPN tunnel has been established:

Green—VPN tunnel is established.

PS1

Indicates the state of the power supply module installed on the right when facing the back panel:

Off—No power supply module present or no AC input.

Green—Power supply module present, on, and good.

Amber—Power or fan module off or failed.

PS0

Indicates the state of the power module installed on the left when facing the back panel:

Off—No power supply module present or no AC input.

Green—Power supply module present, on, and good.

Amber—Power or fan module off or failed.

HDD1

Indicates activity on the hard-disk drive:3

Off—No hard-disk drive present.

Flashing green—Hard-disk drive activity.

Amber—Hard-disk drive failure.

HDD2

Indicates activity on the hard-disk drive:3

Off—No hard-disk drive present.

Flashing green—Hard-disk drive activity.

Amber—Hard-disk drive failure.

1 The Cisco ASA software does not support the ALARM indicator initially; support will be added at a later date.

2 OIR is not available at this time.

3 The hard-disk drive bays are reserved for future use.


Table 1-3 shows the Ethernet port indicators.

Table 1-3 Ethernet Port Indicators 

Indicator
Description

Gigabit Ethernet (RJ45)

Left side:

Green—Physical activity

Flashing green—Network activity

Right side:

Not lit—10 Mbps

Green—100 Mbps

Amber—1000 Mbps

10-Gigabit Ethernet Fiber (SFP+)/1-Gigabit Ethernet Fiber (SFP)

Left side:

Off—No 10-Gigabit Ethernet physical link

Green—10-Gigabit Ethernet physical link

Flashing green1 —Network activity

Right side:

Off—No 1-Gigabit Ethernet physical link

Green—1-Gigabit Ethernet physical link

Flashing green1—Network activity

Management port

Right side:

Green—Link to network

Left side

Flashing green—Linked with activity on the network

1 Flashing green is in proportion to the percentage of number of packets or bytes received.


Memory Requirements

The ASA 5585-X has up to 6 DIMM modules per CPU. DIMM population is platform-dependent as seen in the following memory configurations:

ASA 5585-X SSP-10 with IPS SSP-10—12-GB DRAM.

ASA 5585-X SSP-20 with IPS SSP-20—24-GB DRAM.

ASA 5585-X SSP-40 with IPS SSP-40—36-GB DRAM.

ASA 5585-X SSP-60 with IPS SSP-60—72-GB DRAM.

SFP/SFP+ Modules

The SFP and SFP+ modules are optional and not included with the ASA 5585-X. You can purchase them separately. For 1 GB, you need SFP. For 10GB, you need SFP+. The two ports are the same, but you can only use 10 GB if you buy a license for the SSP-10 and SSP-20. Otherwise, the ports are restricted to 1 GB. The ports are always 10 GB-enabled for the SSP-40 and SSP-60. The interfaces are called TenGigabitEthernet 0/x for the SSP and TenGigabitEthernet 1/x for the IPS SSP whether they are 10 GB-enabled or not.

Table 1-4 lists the SFP/SFP+ modules that the ASA 5585-X supports.

Table 1-4 SFP/SFP+ Modules

1G SFP Module

GLC-SX-MM

1000 Base-SX SFP module

BLC-LH-SM

1000 Base-LX/LH SFP module

10G SFP+ Module

SFP-10G-SR

10G SR SFP+ module

SFP-10G-LRM

10G LRM SFP+ module

SFP-10G-LR

10G LR SFP+ module

SFP-H10GB-CU1M

10GBASE-CU SFP+ cable 1 meter, passive

SFP-H10GB-CU3M

10GBASE-CU SFP+ cable 3 meter, passive

SFP-H10GB-CU5M

10GBASE-CU SFP+ cable 5 meter, passive



Note The following SFP/SFP+ modules require ASA 8.2.5 or later: BLC-LH-SM, SFP-10G-LRM, SFP-10G-LR, SFP-H10GB-CU1M, SFP-H10GB-CU3M, and SFP-H10GB-CU5M.