Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
302
Views
0
Helpful
1
Replies

alerts

Go to solution
WILLIAM STEGMAN
Level 4
Level 4

‎08-04-2006 11:28 AM - edited ‎03-10-2019 03:09 AM

I've got a IPS/IDS 4215 with its fastethernet 1/0 interface plugged into a switch, which is part of a dmz. That same switch is uplinked to the dmz interface of a PIX 515. I enabled some signatures for testing, including 2004 ICMP echo request, and I'm alerted about the events from my PIX running IDS, but the 4215 doesnt' detect it, which leads me to think my physical setup is incorrect. Perhaps because of the switch? I want to do some testing with promiscious mode, IDS, right now, not inline. What would the cabling look like for that?

Thank you,

Bill

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
a.kiprawih
Level 7
Level 7

‎08-05-2006 05:00 PM

Hi,

Try to enable/configure SPAN port (monitor session) on the switch. The port where the IDS was connected was not able to 'see' other traffics passing through the switch. SPAN/port mirroring is common if you need to use promiscious instead of inline. But if you use hub, you can just connect and start seeing traffic as hub behave differently from switch.

I assumed your DMZ switch has one (1) VLan.Configure your switch port connecting the IDS as destination port, while other ports as source port.

Follow the example in the following link and look for local SPAN.

http://www.cisco.com/en/US/products/hw/switches/ps5528/products_configuration_guide_chapter09186a00801e85e1.html#1078977

http://www.cisco.com/en/US/products/hw/switches/ps5206/products_configuration_guide_chapter09186a00802164eb.html

Rgds,

AK

View solution in original post

0 Helpful
1 Reply 1

Go to solution
a.kiprawih
Level 7
Level 7

‎08-05-2006 05:00 PM

Hi,

Try to enable/configure SPAN port (monitor session) on the switch. The port where the IDS was connected was not able to 'see' other traffics passing through the switch. SPAN/port mirroring is common if you need to use promiscious instead of inline. But if you use hub, you can just connect and start seeing traffic as hub behave differently from switch.

I assumed your DMZ switch has one (1) VLan.Configure your switch port connecting the IDS as destination port, while other ports as source port.

Follow the example in the following link and look for local SPAN.

http://www.cisco.com/en/US/products/hw/switches/ps5528/products_configuration_guide_chapter09186a00801e85e1.html#1078977

http://www.cisco.com/en/US/products/hw/switches/ps5206/products_configuration_guide_chapter09186a00802164eb.html

Rgds,

AK

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card