Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

alerts

I've got a IPS/IDS 4215 with its fastethernet 1/0 interface plugged into a switch, which is part of a dmz. That same switch is uplinked to the dmz interface of a PIX 515. I enabled some signatures for testing, including 2004 ICMP echo request, and I'm alerted about the events from my PIX running IDS, but the 4215 doesnt' detect it, which leads me to think my physical setup is incorrect. Perhaps because of the switch? I want to do some testing with promiscious mode, IDS, right now, not inline. What would the cabling look like for that?

Thank you,

Bill

1 ACCEPTED SOLUTION

Accepted Solutions

Re: alerts

Hi,

Try to enable/configure SPAN port (monitor session) on the switch. The port where the IDS was connected was not able to 'see' other traffics passing through the switch. SPAN/port mirroring is common if you need to use promiscious instead of inline. But if you use hub, you can just connect and start seeing traffic as hub behave differently from switch.

I assumed your DMZ switch has one (1) VLan.Configure your switch port connecting the IDS as destination port, while other ports as source port.

Follow the example in the following link and look for local SPAN.

http://www.cisco.com/en/US/products/hw/switches/ps5528/products_configuration_guide_chapter09186a00801e85e1.html#1078977

http://www.cisco.com/en/US/products/hw/switches/ps5206/products_configuration_guide_chapter09186a00802164eb.html

Rgds,

AK

1 REPLY

Re: alerts

Hi,

Try to enable/configure SPAN port (monitor session) on the switch. The port where the IDS was connected was not able to 'see' other traffics passing through the switch. SPAN/port mirroring is common if you need to use promiscious instead of inline. But if you use hub, you can just connect and start seeing traffic as hub behave differently from switch.

I assumed your DMZ switch has one (1) VLan.Configure your switch port connecting the IDS as destination port, while other ports as source port.

Follow the example in the following link and look for local SPAN.

http://www.cisco.com/en/US/products/hw/switches/ps5528/products_configuration_guide_chapter09186a00801e85e1.html#1078977

http://www.cisco.com/en/US/products/hw/switches/ps5206/products_configuration_guide_chapter09186a00802164eb.html

Rgds,

AK

105
Views
0
Helpful
1
Replies
CreatePlease login to create content