I try to send specific traffic (with ACL) to a separate sensor in the aip-ssm.
When I check the counters of the vs on the module, there is no traffic inspected.
My config looks like the following:
access-list ips_dmz permit ip any host x.x.x.x
access-list ips_dmz permit ip host x.x.x.x any
match access-list ips_dmz
ips inline fail-close sensor vs1
ips inline fail-open sensor vs0
service-policy ips_policy interface outside
service-policy ips_policy interface inside
service-policy ips_policy interface dmz1
There is no difference, if I use an ACL to mark traffic or if I specify a TCP or UDP Port in the class-map.
The traffic inspection on vs0 runs perfect.
if you look at cisco's documentation they actually specify separate service policies. rather than grouping your class maps in a single policy. And then applying the individual service policies to the appropriate interfaces. http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_ssm.html#wp1046943 I know i used this similar configuration at my last job, and it worked like a champ.