How to configure IPS42xx with a pair of inline interfaces for IDS mode

Unanswered Question
Oct 8th, 2009

Hi folks,

I have a stupid question to ask. We are about to deploy a number of IPS42xx appliances. There's no free ports on the switches to connect their sensing interfaces to the switch SPAN port. Is there any way to use a pair of the sensor's interfaces to send traffic through the sensor but the sensor itself should be running in IDS (monitoring) mode. The client might opt to switch to real IPS (inline) mode after they tune their signatures. And it should be just changing the settings on the sensor not reconnecting cables.

Help please!!!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rhermes Fri, 10/09/2009 - 07:48

If you place the sensor in line with teh traffic, then it will need to operate in the in line mode, with all the risks associated with that (latency, sensor availability/uptime, etc). You can turn off all the drop actions (check those normalizer sigs carefully, they don;t even report when they fire) either on a sig by sig basis or with a broad Event Action Overide.

zheka_pefti Fri, 10/09/2009 - 08:42

Thanks, Hermes.

I figured that Event Action Filter is the answer to my question. How much latency is introduced to traffic flows if they traverse inline sensor as opposed to a real promiscuous mode when the sensing port is connected to the SPAN-ed switch port?

Farrukh Haroon Sat, 10/10/2009 - 05:35

This would depend on the amount of traffic you push through the sensor. If its within reasonable ranges of the sensor's throughput/processing power, the delay will be acceptable. If its more, its going to invite troube :)

Regards

Farrukh

zheka_pefti Tue, 10/13/2009 - 11:58

Thanks for all advice, folks.

May I ask a relevant question? I came across an article at Cisco's site

https://learningnetwork.cisco.com/docs/DOC-4381 named "Understanding Cisco IPS Interface Types and Modes". It was a revelation to me that if IPS runs in inline mode a pair of inline interfaces should be L2 separated with different VLANs. I'm quoting Yusuf Bhaiji words:

Note that a Layer 2 segmentation is required for inline mode to work; that is, the client and the first interface are on a separate VLAN, whereas the server and the second interface are on a separate VLAN, as shown in Figure 2. The Layer 3 network remains unchanged.

Never heard about it and never found anything relevant to it in other Cisco guides.

Can anyone confirm or disprove it ?

Eugene

Actions

This Discussion