IPS 4240 to be configured as IDS (Promis)

Unanswered Question
Dec 22nd, 2007

Dear Netpro,

If i configure the IPS in IDS mode (Promis)

then which utility or application from cisco to monitoor the IDS for the events.

Thanks

swami

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
royalblues Sun, 12/23/2007 - 07:54

You can configure the IPS in IDS mode but you stil will have the management interface to control the IPS.

The integrated event managers with the IPS can still be used to monitor the events

The IEV (IPS event viewer) is generally prefereed for monitoring IPS events

http://www.cisco.com/cgi-bin/tablebuild.pl/ids-ev

HTH

Narayan

arumugasamy Mon, 12/24/2007 - 05:32

Dear Narayan,

Thanks for your help.

Let me explain the current customer setup.

There are 2 numbers of edge 3560 in-line power switches connected to the core 4507R with DOT1Q trunk. The edge switch ports all configured with both data and voice vlans (VLAN 2 for Data and VLAN 9 for Voice)

The trunk link carries these 2 vlans plus the mgmt vlan 8.

In this setup i need to implement the IPS in IDS mode.

Please explain me the steps to complete the installation.

I plained to create the RSPAN and connected the IDS in the 2nd switch.

Please narayan i need to know more about the setup procedures.

Thanks

swami

royalblues Mon, 12/24/2007 - 06:24

Can you also let us know what traffic are you intending to receive on the IPS?

All traffic hitting the 45XX?

Narayan

arumugasamy Tue, 12/25/2007 - 04:18

Narayan,

The core switch 45xx connected to the edge 3560 via dot1q trunk carrying voice vlan 9 and data vlan 2. Now the IPS has to be placed in this vlan 2 to monitor and block the events

of the traffic going to internet. The main user traffic is web and getting from internet the mail (port 25) via iron mail and OWA (port 443). These 2 ports have been opened in the ASA edge firewall.

I like to install the IPS as inline mode. Could you expalin me how can i connect the inline pair via trunk port.

Thanks

swami

royalblues Wed, 12/26/2007 - 01:50

Your initial post says that you need to use the IPS in IDS(promiscuous mode)

In this case you can connect the IPS on the 4500 and configure spanning in such a way that it passes only vlan 2 traffic to the IPS

monitor session 1 source interface

monitor session 1 destination interface filter vlan 2

I am not sure whether we can monitor only a specific subnet on the IPS when it is in inline mode.

HTH

Narayan

arumugasamy Wed, 12/26/2007 - 03:25

Narayan,

I already connected one vlan in IDS mode. Now i need to use inine for another vlan (vlan 2).

For IDS config i used the monitor session cmd on the switch and IEV as the event monitour App.

But in inline mode how can we prevent the vlan 2 to access the gateway L3 before passing to the IPS.Also those 2 edge switches in vlan 2 each separately trunked to the core switch.

Thanks

swami

Actions

This Discussion