cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
578
Views
15
Helpful
3
Replies

IOS IPS configuration

Hi all,

I am implementing IOS IPS on a 3800 router but I am not sure if when I enable it all the previous TCP sessions already active across the router will be dropped by the inpsect (because the IPS never saw when all those sessions started).

Any comments are really apreciated..

3 Replies 3

ymzhang
Level 1
Level 1

Hi,

When IPS is enabled, L7 IPS will not scan packets for previously opened TCP sessions, so the sessions will be unaffected.

Atomic-ip, which is stateless, isn't session-aware and thus scans packets for

previously opened sessions and newly opened sessions the same.

I still suggestion you to turn on IPS when the traffic is low and if possible, try it out on a lab router.

Thanks,

-Chris

mmarlowe
Level 1
Level 1

Note: IPS does drop all packets on configured interfaces when it is compiling signatures unless you disable the fail closed setting.

Even with a 3800 which is pretty hefty cpu wise compared to the other ISR's, it can take up to 20 minutes to finish a compile assuming you have about 900 sigs enabled. And, during this period cpu will be at 100%. Note that this also occurs everytime the router is rebooted.

Some clarifications:

1. the fail closed option by default is not configured. Default option is fail open.

2. Cisco has recommend signatures files (128MB.sdf and 256MB.sdf in 4.x signature format and has basic and advanced category (in 5.x signature format). Those are recommended starting point while configuring router based IOS IPS. It has about 300 and 500 signatures respectively.

3. If configured right, the above two set of signatures will take about 3 to 5 minutes to load and compile. And during the compilation process, the process cpu normally is high, but it wont affect data plane traffic passing the router.

Hope this helps,

-Chris

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: