05-31-2007 02:52 PM - edited 03-10-2019 03:38 AM
Hi all,
I am implementing IOS IPS on a 3800 router but I am not sure if when I enable it all the previous TCP sessions already active across the router will be dropped by the inpsect (because the IPS never saw when all those sessions started).
Any comments are really apreciated..
05-31-2007 05:06 PM
Hi,
When IPS is enabled, L7 IPS will not scan packets for previously opened TCP sessions, so the sessions will be unaffected.
Atomic-ip, which is stateless, isn't session-aware and thus scans packets for
previously opened sessions and newly opened sessions the same.
I still suggestion you to turn on IPS when the traffic is low and if possible, try it out on a lab router.
Thanks,
-Chris
05-31-2007 05:55 PM
Note: IPS does drop all packets on configured interfaces when it is compiling signatures unless you disable the fail closed setting.
Even with a 3800 which is pretty hefty cpu wise compared to the other ISR's, it can take up to 20 minutes to finish a compile assuming you have about 900 sigs enabled. And, during this period cpu will be at 100%. Note that this also occurs everytime the router is rebooted.
05-31-2007 09:20 PM
Some clarifications:
1. the fail closed option by default is not configured. Default option is fail open.
2. Cisco has recommend signatures files (128MB.sdf and 256MB.sdf in 4.x signature format and has basic and advanced category (in 5.x signature format). Those are recommended starting point while configuring router based IOS IPS. It has about 300 and 500 signatures respectively.
3. If configured right, the above two set of signatures will take about 3 to 5 minutes to load and compile. And during the compilation process, the process cpu normally is high, but it wont affect data plane traffic passing the router.
Hope this helps,
-Chris
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide