IOS IPS configuration

Unanswered Question
May 31st, 2007

Hi all,

I am implementing IOS IPS on a 3800 router but I am not sure if when I enable it all the previous TCP sessions already active across the router will be dropped by the inpsect (because the IPS never saw when all those sessions started).

Any comments are really apreciated..

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
ymzhang Thu, 05/31/2007 - 17:06


When IPS is enabled, L7 IPS will not scan packets for previously opened TCP sessions, so the sessions will be unaffected.

Atomic-ip, which is stateless, isn't session-aware and thus scans packets for

previously opened sessions and newly opened sessions the same.

I still suggestion you to turn on IPS when the traffic is low and if possible, try it out on a lab router.



mmarlowe Thu, 05/31/2007 - 17:55

Note: IPS does drop all packets on configured interfaces when it is compiling signatures unless you disable the fail closed setting.

Even with a 3800 which is pretty hefty cpu wise compared to the other ISR's, it can take up to 20 minutes to finish a compile assuming you have about 900 sigs enabled. And, during this period cpu will be at 100%. Note that this also occurs everytime the router is rebooted.

ymzhang Thu, 05/31/2007 - 21:20

Some clarifications:

1. the fail closed option by default is not configured. Default option is fail open.

2. Cisco has recommend signatures files (128MB.sdf and 256MB.sdf in 4.x signature format and has basic and advanced category (in 5.x signature format). Those are recommended starting point while configuring router based IOS IPS. It has about 300 and 500 signatures respectively.

3. If configured right, the above two set of signatures will take about 3 to 5 minutes to load and compile. And during the compilation process, the process cpu normally is high, but it wont affect data plane traffic passing the router.

Hope this helps,



This Discussion