×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

IDS + Nativ IOS

Unanswered Question
Dec 5th, 2001
User Badges:

Hi


I want to know again, if it is already possible to have a IDS in a CAT 6500 with nativ IOS. Which software do we need and does shuning or TCP RESET ("inpkts enable" with session monitor)??


Does anyone tested a IDS in nativ IOS?

thx for your help

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
marcabal Wed, 12/05/2001 - 11:31
User Badges:
  • Cisco Employee,

The first version of Cat IOS to support the IDSM (IDS Module for the Cat 6000) is 12.1(8a)EX.

However, the IDSM is only supported if 12.1(8a)EX is loaded on a Sup2 w/ MSFC2.

It is not supported with Sup1a. Sup1a Cat IOS support for the IDSM will be in a future version.


It supports both version 2.5 and version 3.0 of the IDSM.

3.0 of the IDSM will support shunning, but not TCP Resets or IP Logging.

2.5 of the IDSM does not support shunning, TCP Resets or IP Logging.

So I recommend ordering or upgrading to 3.0.


3 methods can be used to send packets to the IDSM.

1st is the monitor command (similar to span in Cat OS).

2nd is the VACL capture feature (similar features as VACL capture in Cat OS, but configuration looks really different)

3rd is the "mls ip ids" command. This will use an acl to mark packets for capture as they are routed through an interface.

As for support with the IDS Appliance (IDS-42xx)

Only the monitor command (span equivelant) can be used to send packets to the appliance. Future Cat IOS versions may support VACL capture and the "mls ip ids" command to send packets to the appliance, but I am told that current versions do not.


As for the TCP Resets, I have not heard of any changes being made to Cat IOS, but there changes being made to the sensor. But I am not sure if Cat IOS allows packets to be received from the monitor ports??


Currently if the switch does allow resets in on the monitor port then it could mess up the CAM tables of the switch (Cat OS has the learning disable feature to prevent this), but with future versions of the sensor (available in a few weeks) we hope to have eliminated the CAM table problem. So with future appliance sensor versions, if the switch lets packets in from the monitor port, then the TCP Resets shoul work without causing a problem. (Note: Still to be tested so I can't guarantee anything yet).

bfieglmller Wed, 12/05/2001 - 23:51
User Badges:

Thank you


Please inform us when its possible to make a TCP reset.

Actions

This Discussion