Solved: Re: control and management port for nm-cids

ahmadabuzayyad · ‎09-06-2006

Can any body help me to find the difference between the ip address that we use at the interface ids-sensore 1/0 and the ip address of the sensor and its default gateway

10.10.10.2/24,10.10.10.1

marcabal · ‎09-07-2006

IDSM-2 information.

There are 8 interfaces of concern when dealing with the IDSM-2.

4 if the interfaces belong to the IDSM-2 itself.

The other 4 interfaces are the switch ports connected to those 4 interfaces of the IDSM-2.

The management interface of the IDSM-2 is "GigabitEthernet0/2".

When assigning an IP address to the IDSM-2 this is the interface where the IP address is assigned.

On the backplane of the switch this will connect to a corresponding switch port.

In Cat OS it is "/2", and in IOS it is "intrusion-detection module management-port".

These switch ports must be assigned to what ever vlan carries the network for the address assigned to the IDSM-2s Gig0/2 interface.

The "GigabitEthernet0/7, and GigabitEthernet0/8" of the IDSM-2 are the monitoring interfaces of the IDSM-2 and need to be assigned to the AnalysisEngine for monitoring.

On the backplane of the switch these will connect to 2 corresponding switch ports.

In Cat OS they are "/7" and "/8", in IOS they are "intrusion-detection module data-port 1" and "data-port 2".

You will need to configured these ports as capture ports if doing promiscuous monitoring, OR as single vlan ports (access-ports) if doing inline interface pair monitoring, OR as trunk ports if doing inline vlan pair monitoring.

The "GigabitEthernet0/1" of the IDSM-2 is not configurable on the IDSM-2, and is only used for sending out TCP Resets when in promiscuous mode.

On the backplane of the switch this will connect to a corresponding switch port.

In Cat OS it is "/1" and should be left as a trunk port trunking all vlans. In IOS this port is not seen in the configuration as the user never needs to modify this port's configuration.

There are also ports /3 through /6 that are seen in Cat OS. But none of these 4 ports are connected to anything on the IDSM-2 module itself, and can be safely ignored. These ports don't show up at all in IOS.

View solution in original post

edadios · ‎09-06-2006

The ip adress of the sensor is the management ip address, so you can ssh, and manage by IDM for exaple.

You only have one management interface. The other interfaces do not use ip address, they are used for sensing traffic, or you can also use for tcp reset.

More information here :

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/cliguide/cliinter.htm#wp1031719

Regards,

Eric

ahmadabuzayyad · ‎09-06-2006

thanks but i need to know which ip i will use when i have to connect NM-CIDS with the ciscoworks on the interface fa0/0 or ids-sensor or the ip address that assign in sensor setup or which one

the second question: port fa0/0 connect to the hub for sesing or not ?

edadios · ‎09-07-2006

Thanks for clarifying you have an NM-CIDS.

To manage the sensor by Ciscoworks, you would be using the ip address you configured with setup command in the NM-CIDS.

The 1/0 interface is configured so that you can session to the NM-CIDS on the router itself.

For more information, and also for setting up sensing interface (packet capture), please refer to this documentation :

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/hwguide/hwclipr.htm#wp88986

Packets seen by the configured interface for packet capture is analyzed.

I hope this infomration helps you.

Regards,

Eric

ahmadabuzayyad · ‎09-07-2006

thanks for this information

i want to ask you:

do they have to be in same subnet or they shouldn't "sensor ip address and the ip address used while "setup"

and what i have to put for the default route: the default gateway for the router or the the interface itself

note the same questions is also for the IDSM-2.

thanks alot

marcabal · ‎09-07-2006

NM-CIDS information:

There are 3 interfaces that you need to be aware of with the NM-CIDS.

The NM-CIDS module has 2 interfaces (FastEthernet0/0 and FastEthernet0/1).

The 3rd interface actually belongs to the router (IDS-sensor1/0)

The Fa0/0 interface of the NM-CIDS is the external port of the NM-CIDS. When an IP Address is assigned to the NM-CIDS through the "setup" command, the IP is assigned to this Fa0/0 interface.

The Fa0/0 interface is the external interface and so will need to be plugged into a hub (or switch), and the IP addresses assigned to it must be an address within the network address range for that network (vlan). The default gateway should be the same default gateway for the other boxes on that network, the default gateway may be one of the addresses of the router in which the NM-CIDS was installed, or could be a completely different router. The NM-CIDS Fa0/0 interface could have been plugged into a completely different network than any of the interfaces of it's parent router.

Say for example that FastEthernet2/1 of the router is connected to vlan 10 on the switch and assigned an IP Address of 10.1.1.1. The Fa0/1 interface of the NM-CIDS is also plugged into the same switch on vlan 10. Because Fa0/1 of the NM-CIDS is plugged into the same network as Fa2/1 of the router, then both ip addresses can be in the same network and the router IP can be the gateway for the NM-CIDS. The Fa0/1 can have IP 10.1.1.30 with gateway 10.1.1.1 (Fa2/1 of the router).

Alternatively the Fa0/1 of the NM-CIDS could have been plugged into vlan 30 (network 192.168.1.0) of the switch where the router does not have any of interfaces. In this case the Fa0/1 of the NM-CIDS won't be in the same network as any of the router interfaces. So the Fa0/1 of the NM-CIDS will need an IP address with that network: 192.168.1.27 for example. And the gateway for the NM-CIDS would need to be whatever OTHER router is the default gateway on that network: 192.168.1.1 for example.

The Fa0/1 interface of the NM-CIDS is the internal interface of the NM-CIDS on the backplane of the router. The Analysis Engine should be configured to monitor this interface.

The "IDS-Sensor1/0" interface is the router's backplane interface to the NM-CIDS, and has 2 functions.

1) When the router is configured to send packets to the NM-CIDS for analysis the packts will be sent through the router's IDS-Sensor1/0 interface to the router backplane into the Fa0/1 interface of the NM-CIDS. You can almost think of IDS-Sensor1/0 and Fa0/1 as having a wire between (the wire being the router backplane).

2) The IDS-Sensor1/0 also serves a second purpose. The IDS-Sensor1/0 ALSO connects to a special part of the NM-CIDS hardware that acts as a console port for the NM-CIDS. When you "session" to the NM-CIDS what is actually happening is a telnet through this IDS-Sensor1/0 interface into the backplane of the router to that special part of the NM-CIDS hardware. So when you session to the NM-CIDS it looks like a console port. It is because of this "telneting" as part of the session command that the router needs an address for the IDS-Sensor1/0 interface.

The address assigned to the IDS-Sensor1/0 interface is never seen by the IPS software on the NM-CIDS, it is only used by the router inorder to support the session command. This IDS-Sensor1/0 address does not need to be routable so it can be an internal loopback address as seen in this example: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/cliguide/clinmcid.htm#wp1030678

The loopback address is just a single address on a network that you are never going to use and never need to route packets to.

This IP Address for IDS-Sensor1/0 should NOT be confused with the IP Address that was assigned to the Fa0/1 interface of the NM-CIDS.

marcabal · ‎09-07-2006