Table Of Contents
Introducing the Cisco IPS SSP
Introducing the Cisco IPS SSP
Specifications
Hardware and Software Requirements
Front Panel Features
Memory Requirements
SFP/SFP+ Modules
Introducing the Cisco IPS SSP
Note The Cisco ASA 5585-X with the IPS SSP is currently the only platform that supports Cisco IPS 7.1. No other Cisco IPS sensors currently support IPS 7.1.
Note The Cisco ASA 5585-X with the IPS SSP is supported in ASA 8.2(4.4) and later as well as ASA 8.4(2) and later. It is not supported in ASA 8.3(x).
This chapter describes the Cisco IPS SSP, and includes the following sections:
•Introducing the Cisco IPS SSP
•Specifications
•Hardware and Software Requirements
•Front Panel Features
•Memory Requirements
•SFP/SFP+ Modules
Note Read through the entire guide before beginning any of the installation procedures.
|
Warning Only trained and qualified personnel should install, replace, or service this equipment. Statement 49
|
Caution Read the safety warnings in the
Regulatory Compliance and Safety Information for the Cisco ASA 5585-X Adaptive Security Appliance document and follow proper safety procedures when performing the steps in this guide.
Introducing the Cisco IPS SSP
You can install the Cisco Intrusion Prevention System Security Services Processor (IPS SSP) in the ASA 5585-X adaptive security appliance. The ASA 5585-X is a 2RU, two-slot chassis. The Security Services Processor (SSP) resides in slot 0 (the bottom slot) and the IPS SSP resides in slot 1 (the top slot). All port numbers are numbered from right to left beginning with 0.
Note The ASA 5585-X supports dual firewall mode for the ASA 5585-X SSP-40 and ASA 5585-X SSP-60 models. The SSPs must match; that is, SSP-40s together and SSP-60s together in one chassis.
The ASA 5585-X series with IPS SSP comes in four models:
•ASA 5585-X SSP-10 with IPS SSP-10
•ASA 5585-X SSP-20 with IPS SSP-20
•ASA 5585-X SSP-40 with IPS SSP-40
•ASA 5585-X SSP-60 with IPS SSP-60
In addition to world-class performance, the ASA 5585-X deploys encrypted traffic inspection, port density (up to 20 interfaces depending on the model), and feature performance matching, that is, performance parity between firewall and IPS functions. All ASA 5585-X series adaptive security appliances ship with a core SSP; the IPS SSP is optional. You must have the core SSP to run the IPS SSP.
Note Online insertion and removal (OIR) of the SSP and IPS SSP is not supported at this time. SFP/SFP+, power supply module, and fan module OIR is supported.
IDM
The IPS SSP supports the Intrusion Prevention System Device Manager (IDM) 7.1. IDM delivers security management and monitoring through an intuitive, easy-to-use web-based management interface. IDM is a Java Web Start application that enables you to configure and manage your IPS SSP. IDM is bundled with IPS 7.1. You can access it through Internet Explorer or Firefox web browsers.
IME
The Intrusion Prevention System Manager Express (IME) 7.1 also supports the IPS SSP. IME is a network management application that provides system health, events, and collaboration monitoring in addition to reporting and configuration for up to ten sensors. IME monitors sensor health using customizable dashboards and provides security alerts through RSS feed integration from the Cisco Security Intelligence Operations site. It monitors global correlation data, which you can view in events and reports. It monitors events and lets you sort views by filtering, grouping, and colorization. IME also supports tools such, as ping, trace route, DNS lookup, and whois lookup for selected events. It contains a flexible reporting network. It embeds the IDM configuration component to allow for a seamless integration between the monitoring and configuration of IPS devices. Within IME you can set up your sensors, configure policies, monitor IPS events, and generate reports. IME works in single application mode—the entire application is installed on one system and you manage everything from that system.
ASA 5585-X SSP-10 With IPS SSP-10
The ASA 5585-X SSP-10 with IPS SSP-10 provides firewall, VPN support, intrusion prevention system protection, and 20 interfaces (2 SFP/SFP+ and 18 copper Gigabit Ethernet). The SSP-10 with IPS SSP-10 has one power supply module and one fan module. You can replace the fan module with another power supply module for a redundant power supply configuration. The SSP-10 with IPS SSP-10 has one CPU, three DIMM modules, one embedded crypto accelerator, and one dual-port 10-GB uplink for the SFP/SFP+ interfaces.
ASA 5585-X SSP-20 With IPS SSP-20
The ASA 5585-X SSP-20 with IPS SSP-20 provides firewall, VPN support, intrusion prevention system protection, and 20 interfaces (2 SFP/SFP+ and 18 copper Gigabit Ethernet). The SSP-20 with IPS SSP-20 has one power supply module and one fan module. You can replace the fan module with another power supply module for a redundant power supply configuration. The SSP-20 with IPS SSP-20 has one CPU, 6 DIMM modules, two embedded crypto accelerators, and one dual-port 10-GB uplink for the SFP/SFP+ interfaces.
ASA 5585-X SSP-40 With IPS SSP-40
The ASA 5585-X SSP-40 with IPS SSP-40 provides firewall, VPN support, intrusion prevention system protection, and 20 interfaces (4 SFP/SFP+ and 16 copper Gigabit Ethernet). The SSP-40 with IPS SSP-40 has one power supply module and one fan module. You can replace the fan module with another power supply module for a redundant power supply configuration. The SSP-40 with IPS SSP-40 has two CPUs, 6 DIMM modules, three embedded crypto accelerators, and two dual-port 10-GB uplinks for the SFP/SFP+ interfaces.
ASA 5585-X SSP-60 With IPS SSP-60
The ASA 5585-X SSP-60 with IPS SSP-60 provides firewall, VPN support, intrusion prevention system protection, and 20 interfaces (4 SFP/SFP+ and 16 copper Gigabit Ethernet). The SSP-60 with IPS SSP-60 ships with two power supply modules; however, the SSP-60 with IPS SSP-60 can function with only one power supply module. Although the SSP-60 with IPS SSP-60 can also operate with only one power supply module, we recommend that you install two power supply modules for extended reliability since the power supply modules operate in load-sharing mode. If one fails in this configuration, the other power supply module can still handle the full load until the failed power supply module is replaced. The SSP-60 with IPS SSP-60 has two CPUs, 12 DIMM modules, four embedded crypto accelerators, and two dual-port 10-GB uplinks for the SFP/SFP+ interfaces.
|
Warning If you remove a power supply or fan module, replace it immediately to prevent service disruption.
|
Figure 1-1 shows the IPS SSP.
Figure 1-1 IPS SSP
For More Information
•For detailed information on IDM, refer to Installing and Using Cisco Intrusion Prevention System Device Manager 7.1.
•For detailed information on IME, refer to Installing and Using Cisco Intrusion Prevention System Manager Express 7.1.
•For detailed information on the ASA 5585-X, refer to Cisco ASA 5585-X Adaptive Security Appliance Hardware Installation Guide.
Specifications
Table 1-1 lists the specifications for the IPS SSP.
Table 1-1 IPS SSP Specifications
Height
|
1.70 in
|
Width
|
17.00 in
|
Depth
|
15.50 in
|
Weight
|
11.50 lb
|
Temperature
|
Operating 32 to 104°F (0 to 40°C) Nonoperating -40°F to 167°F (-40°C to 75°C)
|
Relative humidity (noncondensing)
|
Operating 10% to 90% Nonoperating 5% to 95%
|
Hardware and Software Requirements
The IPS SSP has the following hardware and software requirements:
•Cisco ASA 5585-X adaptive security appliance
–ASA 5585-X SSP-10 with IPS SSP-10
–ASA 5585-X SSP-20 with IPS SSP-20
–ASA 5585-X SSP-40 with IPS SSP-40
–ASA 5585-X SSP-60 with IPS SSP-60
•Cisco Adaptive Security Appliance Software 8.2.4 or later
•Cisco Intrusion Prevention System Software 7.1(1) or later
•3DES-enabled
Front Panel Features
This section describes the front panel features and indicators of the IPS SSP.
Front Panel Features
Figure 1-2 shows the front view of the IPS SSP-10 and IPS SSP-20.
Note The illustration shows the IPS SSP-10, but it applies to both the -10 and -20 models.
Figure 1-2 IPS SSP-10 Front Panel View
1
|
IPS SSP (Slot 1)
|
9
|
Management 0/0 (GigabitEthernet RJ45)
|
2
|
SSP (Slot 0)
|
10
|
USB Port
|
3
|
SSP/IPS SSP Removal Screws
|
11
|
USB Port
|
4
|
Reserved Bays for Hard-Disk Drives1
|
12
|
Front Panel Indicators
|
5
|
TenGigabitEthernet 0/1 (10-GB fiber, SFP, or SFP+)
|
13
|
Auxiliary Port (RJ45)
|
6
|
TenGigabitEthernet 0/0 (1-GB fiber, SFP, or SFP+)
|
14
|
Console Port (RJ45)
|
7
|
GigabitEthernet 1/0 through 1/7, from right to left (1-GB copper, RJ45)
|
15
|
Eject2
|
8
|
Management 0/1 (GigabitEthernet RJ45)
|
|
|
Figure 1-3 shows the front view of IPS SSP-40 and IPS SSP-60.
Note The illustration shows the IPS SSP-40, but it applies to both the -40 and the -60 models.
Figure 1-3 IPS SSP-40 Front Panel View
1
|
IPS SSP (slot 1)
|
10
|
Management 1/1 (GigabitEthernet RJ45)
|
2
|
SSP (slot 0)
|
11
|
Management 1/0 (GigabitEthernet RJ45)
|
3
|
SSP/IPS SSP removal screws
|
12
|
USB port
|
4
|
Reserved bays for hard-disk drives1
|
13
|
USB port
|
5
|
TenGigabitEthernet 1/9 ( (10-GB fiber, SFP, or SFP+)
|
14
|
Front panel indicators
|
6
|
TenGigabitEthernet 1/8 (1-GB fiber, SFP, or SFP+)
|
15
|
Auxiliary port (RJ45)
|
7
|
TenGigabitEthernet 1/7 (10-GB fiber, SFP, or SFP+)
|
16
|
Console port (RJ45)
|
8
|
TenGigabitEthernet 0/6 (SSP in slot 2) TenGigabitEthernet 1/6 (IPS SSP in slot 1) (1-GB fiber, SFP, or SFP+)
|
17
|
Eject2
|
9
|
GigabitEthernet 0/0 through 0/5 (SSP in slot 2) GigabitEthernet 1/0 through 1/5 (IPS SSP in slot 1) (from right to left, 1-GB copper, RJ45)
|
|
|
Figure 1-4 shows the front panel indicators.
Figure 1-4 IPS SSP Front Panel Indicators
1
|
PWR
|
2
|
BOOT
|
3
|
ALARM
|
4
|
ACT
|
5
|
VPN
|
6
|
PS1
|
7
|
PS0
|
8
|
HDD1
|
9
|
HDD2
|
|
|
Table 1-2 describes the front panel indicators on the IPS SSP.
Table 1-2 IPS SSP Front Panel Indicators
Indicator
|
Description
|
PWR
|
Indicates whether the system is off or on:
•Off—No power.
•Green—System has power.
|
BOOT
|
Indicates how the power-up diagnostics are proceeding:
•Flashing green—Power-up diagnostics are running or the system is booting.
•Green—System has passed power-up diagnostics.
•Amber—Power-up diagnostics failed.
|
ALARM1
|
Indicates whether a component has failed:
•Off—No alarm.
•Flashing yellow—Critical alarm.
Major failure of hardware component or software module, temperature over the limit, power out of tolerance, or OIR is ready to remove the module.2
|
ACT
|
Indicates the status of an HA pair:
•Green—Status of an HA pair.
|
VPN
|
Indicates whether a VPN tunnel has been established:
•Green—VPN tunnel is established.
|
PS1
|
Indicates the state of the power supply module installed on the right when facing the back panel:
•Off—No power supply module present or no AC input.
•Green—Power supply module present, on, and good.
•Amber—Power or fan module off or failed.
|
PS0
|
Indicates the state of the power module installed on the left when facing the back panel:
•Off—No power supply module present or no AC input.
•Green—Power supply module present, on, and good.
•Amber—Power or fan module off or failed.
|
HDD1
|
Indicates activity on the hard-disk drive:3
•Off—No hard-disk drive present.
•Flashing green—Hard-disk drive activity.
•Amber—Hard-disk drive failure.
|
HDD2
|
Indicates activity on the hard-disk drive:3
•Off—No hard-disk drive present.
•Flashing green—Hard-disk drive activity.
•Amber—Hard-disk drive failure.
|
Table 1-3 shows the Ethernet port indicators.
Table 1-3 Ethernet Port Indicators
Indicator
|
Description
|
Gigabit Ethernet (RJ45)
|
•Left side:
–Green—Physical activity
–Flashing green—Network activity
•Right side:
–Not lit—10 Mbps
–Green—100 Mbps
–Amber—1000 Mbps
|
10-Gigabit Ethernet Fiber (SFP+)/1-Gigabit Ethernet Fiber (SFP)
|
•Left side:
–Off—No 10-Gigabit Ethernet physical link
–Green—10-Gigabit Ethernet physical link
–Flashing green1 —Network activity
•Right side:
–Off—No 1-Gigabit Ethernet physical link
–Green—1-Gigabit Ethernet physical link
–Flashing green1—Network activity
|
Management port
|
•Right side:
–Green—Link to network
•Left side
–Flashing green—Linked with activity on the network
|
Memory Requirements
The ASA 5585-X has up to 6 DIMM modules per CPU. DIMM population is platform-dependent as seen in the following memory configurations:
•ASA 5585-X SSP-10 with IPS SSP-10—12-GB DRAM.
•ASA 5585-X SSP-20 with IPS SSP-20—24-GB DRAM.
•ASA 5585-X SSP-40 with IPS SSP-40—36-GB DRAM.
•ASA 5585-X SSP-60 with IPS SSP-60—72-GB DRAM.
SFP/SFP+ Modules
The SFP and SFP+ modules are optional and not included with the ASA 5585-X. You can purchase them separately. For 1 GB, you need SFP. For 10GB, you need SFP+. The two ports are the same, but you can only use 10 GB if you buy a license for the SSP-10 and SSP-20. Otherwise, the ports are restricted to 1 GB. The ports are always 10 GB-enabled for the SSP-40 and SSP-60. The interfaces are called TenGigabitEthernet 0/x for the SSP and TenGigabitEthernet 1/x for the IPS SSP whether they are 10 GB-enabled or not.
Table 1-4 lists the SFP/SFP+ modules that the ASA 5585-X supports.
Table 1-4 SFP/SFP+ Modules
1G SFP Module
|
GLC-SX-MM
|
1000 Base-SX SFP module
|
BLC-LH-SM
|
1000 Base-LX/LH SFP module
|
10G SFP+ Module
|
SFP-10G-SR
|
10G SR SFP+ module
|
SFP-10G-LRM
|
10G LRM SFP+ module
|
SFP-10G-LR
|
10G LR SFP+ module
|
SFP-H10GB-CU1M
|
10GBASE-CU SFP+ cable 1 meter, passive
|
SFP-H10GB-CU3M
|
10GBASE-CU SFP+ cable 3 meter, passive
|
SFP-H10GB-CU5M
|
10GBASE-CU SFP+ cable 5 meter, passive
|
Note The following SFP/SFP+ modules require ASA 8.2.5 or later: BLC-LH-SM, SFP-10G-LRM, SFP-10G-LR, SFP-H10GB-CU1M, SFP-H10GB-CU3M, and SFP-H10GB-CU5M.