05-01-2006 07:31 PM - edited 03-10-2019 01:59 AM
I'm quite a newbie to the IDS 4215 configuration; however, we just received ours in-house and I would like to run through the set-up with some experts prior to an extended test.
My question, I have the cables from Fe1/1 and Fe1/2 plugged into two Gigabit ports on our 6509. I have two destination ports (the ports that ultimately connect back to the Fe ports on the 4215) specified on the 6509 and one source port (our PIX router port connected to the 6509).
Given the config info below and the details from above, do I have the cabling correct and will this approach work?
--Config
virtual-sensor vs0
description default virtual sensor
logical-interface idspair1
exit
exit
! ------------------------------
service interface
physical-interfaces FastEthernet0/0
duplex full
speed 100
exit
physical-interfaces FastEthernet0/1
description sensing interface
admin-state enabled
duplex full
speed 100
alt-tcp-reset-interface none
exit
physical-interfaces FastEthernet1/0
description Sensing Pair - Part 1
admin-state enabled
duplex full
speed 100
alt-tcp-reset-interface interface-name FastEthernet1/2
exit
physical-interfaces FastEthernet1/1
description Sensing Pair - Part 2
admin-state enabled
duplex full
speed 100
alt-tcp-reset-interface interface-name FastEthernet1/3
exit
inline-interfaces idspair1
description Initial Pair
interface1 FastEthernet1/0
interface2 FastEthernet1/1
Solved! Go to Solution.
05-03-2006 11:32 PM
Ryan:
Yes it will work.
Whith your configuration you will be able to inspect the traffic to and from Internet.
In a future I suggest you configure the rest of the interfaces to sense the internal traffic. You can SPAN a couple of port of your switch (e.g. for differents VLANs) and use de IDS in the promiscuous mode.
I hope this help (please rate it this post and the previous one).
Best regards.
Alberto Giorgi from spain
05-01-2006 07:35 PM
Ignore the Fe0/1 interface since I just have it established for promiscuous mode monitoring. I would ultimately like to have this device perform in-line IPS functionality. Do I need to somehow return the packets from the "monitor session" commands issued on the 6509?
Thanks for the anticipated help!
Cheers.
05-03-2006 02:36 PM
Hi ryanwihelm:
Im sorry but I'm confused with your post.
If you want to do inline IPS then you must to conect FE0/1 to the pix, and FE0/2 to the shitch. Then all the trafic go through the IPS.
Don't forget to conect FE0/0 to the switch (perhaps in other vlan) for management reasons.
This response help to you?
Another comment, Do you know the max througput you have with 4215 is 65 Mbps?
Best regards
Alberto Giorgi from spain (a new kid in this block)
05-03-2006 02:38 PM
Hi ryanwihelm:
Im sorry but I'm confused with your post.
If you want to do inline IPS then you must to conect FE0/1 to the pix, and FE0/2 to the shitch. Then all the trafic go through the IPS.
Don't forget to conect FE0/0 to the switch (perhaps in other vlan) for management reasons.
This response help to you?
Another comment, Do you know the max througput you have with 4215 is 65 Mbps?
Best regards
Alberto Giorgi from spain (a new kid in this block)
05-03-2006 02:38 PM
Hi ryanwihelm:
Im sorry but I'm confused with your post.
If you want to do inline IPS then you must to conect FE0/1 to the pix, and FE0/2 to the shitch. Then all the trafic go through the IPS.
Don't forget to connect FE0/0 to the switch (perhaps in other vlan) for management reasons.
This response help to you?
Another comment, Do you know the max througput you have with 4215 is 65 Mbps?
Best regards
Alberto Giorgi from spain (a new kid in this block)
05-03-2006 05:24 PM
Thanks. My FE0/0 is my management port and I will be using FE1/0 and FE1/1 for sensing (leaving open FE0/1, FE1/2. amd FE1/3 open for future use). I'd like to inspect traffic for a PIX firewall bound at 100Mbps, so I'm not losing too much in terms of throughput. Would my approach work with the given configuration?
05-03-2006 11:32 PM
Ryan:
Yes it will work.
Whith your configuration you will be able to inspect the traffic to and from Internet.
In a future I suggest you configure the rest of the interfaces to sense the internal traffic. You can SPAN a couple of port of your switch (e.g. for differents VLANs) and use de IDS in the promiscuous mode.
I hope this help (please rate it this post and the previous one).
Best regards.
Alberto Giorgi from spain
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide