I am configuring IPS 4270-20.
I want to know that how TCP Reset would reset a session without having an IP Address.
Secondly which interface would be used by ARC to controls blocking and rate limiting actions on managed devices.
Your switchports will be set to 'access' if you are using 'physical interface inline pair' mode and it will be a trunk when you are using 'inline vlan pair mode'.
And the following is one of Marc's post regarding alternate tcp reset, its rarely required:
"Under most installations the alternate tcp reset interface is not needed.
By default the TCP resets will go back out the same interface where the attack was detected.
So if your promiscuous interface is connected to a 100Mbps hub for monitoring then the tcp resets will be sent back out that same promiscuous interface into the hub.
Or if your promiscuous interface is connected to the span port of a switch, then the tcp resets will be sent back out the same promiscuous interface into that span port.
The issue becomes no whether the sensor can send the tcp resets, but if the switch will accept them. Many switches Will accept tcp resets coming in from the span port. Some switches just require an extra parameter on the span configuration to tell the switch to allow incoming packets from the span port.
BUT there are some switches that do NOT allow incoming packets from their span ports.
These ituations are the reason for the alternate tcp reset interface configuration.
It requires having 2 sensing interfaces (one for promiscuous monitoring, and the the other used as just the alternate tcp reset interface). The command and control port can NOT be used as the alternate tcp reset interface.
You connect the promiscuous interface up to the span port of the switch. You configure the second interface as the alternate tcp reset interface of the first promiscuous interface. Then plug the second interface into the saem switch (but do Not make the 2nd one a span port).
Now when the sensor detects an attack on the 1st interface it will NOT send the tcp resets out the 1st interface, but instead will send out the tcp resets on the 2nd interface.
Since the switch won't accept the tcp resets from the span port you need the second interface to get the tcp resets into the switch.
This can also be done with taps where the taps (because taps have no means of accepting incoming packets).
The alternate tcp reset interface configuration is ignored when configured for inline monitoring. It is only used with promiscuous monitoring. "