Command Control Interface

Answered Question
Oct 16th, 2008

I just installed an ASA with an AIP-SSM-20 version 5.1. I have several subinterfaces on the physical G0/0, which happens to be the Command-Control interface on the IPS. However, when I try to add this interface as a Monitored interface, I get, "Error: Interface GigabitEthernet0/0 is already assigned as a promicuous interface, as part of an inline pair or is the command-control interface." What does this mean? I've configured my ASA to send traffic off a G0/0 subinterface, but I don't see any indication this is working.

I have this problem too.
0 votes
Correct Answer by marcabal about 8 years 3 months ago

The confusion here is that there are 2 GigabitEthernet0/0 interfaces.

The ASA has a GigabitEthernet0/0 and the SSM has a completely separate GigabitEthernet0/0.

The SSM's GigabitEthernet0/0 is the external interface of the SSM card itself. This is where the SSM's command and control IP is assigned. The SSM can NOT monitor this interface.

The ASA's GigabitEthernet0/0 is what you have subinterfaces on.

These are 2 separate interfaces.

You can NOT add the SSM's Gig 0/0 to a virtual sensor because the sensor is not capable of monitoring it's external command and control interface.

You can NOT add the ASA's Gig 0/0 to a virtual sensor because you can not add ANY ASA interface to a virtual sensor. That is not how you configure monitoring for the SSM.

The ONLY interface that can be monitored by the SSM is the SSM's Gig 0/1 interface.

BUT just like you can't confuse the SSM's Gig 0/0 and the ASA's Gig 0/0. You should also not confuse the SSM's Gig 0/1 and the ASA's Gig 0/1.

The SSM's Gig 0/1 is the backplane of the ASA.

The ASA's Gig 0/1 is the second external port of the ASA itself.

By placing the SSM's Gig 0/1 into the virtual sensor you are telling the SSM to monitor all packets from the SSM's Gig 0/1 that are coming in from the backplane of the ASA.

So to monitor traffic you have to configure the ASA to send the packets to the SSM for montioring (aka send them to the backplane of the ASA so then the SSM's Gig0/1 will see them.

So how do you send the traffic from the ASA to the SSM?

Through the use of policies.

You create a class, and in the policy for that class you use one of the following configuration lines.

ips inline

or

ips promiscuous

You then apply the policy either globally to the whole ASA context, or specifically to one or more interfaces (or subinterfaces) of the ASA context.

Here is an example for how to setup a policy to send traffic to the SSM for monitoring:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
marcabal Thu, 10/16/2008 - 14:13

The confusion here is that there are 2 GigabitEthernet0/0 interfaces.

The ASA has a GigabitEthernet0/0 and the SSM has a completely separate GigabitEthernet0/0.

The SSM's GigabitEthernet0/0 is the external interface of the SSM card itself. This is where the SSM's command and control IP is assigned. The SSM can NOT monitor this interface.

The ASA's GigabitEthernet0/0 is what you have subinterfaces on.

These are 2 separate interfaces.

You can NOT add the SSM's Gig 0/0 to a virtual sensor because the sensor is not capable of monitoring it's external command and control interface.

You can NOT add the ASA's Gig 0/0 to a virtual sensor because you can not add ANY ASA interface to a virtual sensor. That is not how you configure monitoring for the SSM.

The ONLY interface that can be monitored by the SSM is the SSM's Gig 0/1 interface.

BUT just like you can't confuse the SSM's Gig 0/0 and the ASA's Gig 0/0. You should also not confuse the SSM's Gig 0/1 and the ASA's Gig 0/1.

The SSM's Gig 0/1 is the backplane of the ASA.

The ASA's Gig 0/1 is the second external port of the ASA itself.

By placing the SSM's Gig 0/1 into the virtual sensor you are telling the SSM to monitor all packets from the SSM's Gig 0/1 that are coming in from the backplane of the ASA.

So to monitor traffic you have to configure the ASA to send the packets to the SSM for montioring (aka send them to the backplane of the ASA so then the SSM's Gig0/1 will see them.

So how do you send the traffic from the ASA to the SSM?

Through the use of policies.

You create a class, and in the policy for that class you use one of the following configuration lines.

ips inline

or

ips promiscuous

You then apply the policy either globally to the whole ASA context, or specifically to one or more interfaces (or subinterfaces) of the ASA context.

Here is an example for how to setup a policy to send traffic to the SSM for monitoring:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml

Actions

This Discussion