Which Cisco IPS appliance TCP session tracking mode should be used if packets of the same session are coming to the sensor over different interfaces, but
should be treated as a single session?
A.
interface and VLAN
B.
virtual sensor
C.
VLAN only
D.
promiscuous
E.
normalizer
Explanation:
http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/ime/ime_policies.html#w p2005229
Inline TCP Session Tracking Mode
When you choose to modify packets inline, if the packets from a stream are seen twice by the Normalizer engine, it cannot properly track the stream state and often
the stream is dropped. This situation occurs most often when a stream is routed through multiple VLANs or interfaces that are being monitored by the IPS. A further
complication in this situation is the necessity of allowing asymmetric traffic to merge for proper tracking of streams when the traffic for either direction is receivedfrom different VLANs or interfaces.
To deal with this situation, you can set the mode so that streams are perceived as unique if they are received on separate interfaces and/or VLANs (or the
subinterface for VLAN pairs). The following inline TCP session tracking modes apply:
Interface and VLAN–All packets with the same session key (AaBb) in the same VLAN (or inline VLAN pair) and on the same interface belong to the same
session. Packets with the same key but on different VLANs are tracked separately.
VLAN Only–All packets with the same session key (AaBb) in the same VLAN (or inline VLAN pair) regardless of the interface belong to the same session.
Packets with the same key but on different VLANs are tracked separately.
Virtual Sensor–All packets with the same session key (AaBb) within a virtual sensor belong to the same session. This is the default and almost always the best
option to choose.