Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IOS IDS question


ip audit protected [ip address - ip address]

according to cco it defines a protected address space for IDS, this is from cisco.

An attack signature detects attacks attempted into the protected network, such as denial-of-service attempts or the execution of illegal commands during an FTP session.

i have tested IDS today with ICMP flooding, i got alarms for ICMP attack SIG .2050 even without configuring this command.

does anybody know, what exactly this command does?



New Member

Re: IOS IDS question

thanks but unfortunately its still not clear for me.

If no addresses are defined as protected, then all addresses are considered outside the protected network.

may i should phrase my question a little bit different

If i am not configuring that command, what kind of attack would not be detected?

New Member

Re: IOS IDS question

I assume the "flagged alert" in the command reference means a relict of the Postoffice protocol.

New Member

Re: IOS IDS question

You must be using a very old version of IOS in which the IDS feature is using 'ip audit...' command to configure, in these version of IOS, the IDS feature has a fixed number of hardcoded signatures.

IOS IDS/IPS feature has evolved quick a bit, starting 12.3(8)T, it starts support dynamic signatures and is a true inline ips sysstem. Recently, from 12.4(11)T, it supports 5.x signature format which enables ips to support signatures with encrypted parameter values and more functions (But this is not backward compatible w/ previous version).

For more information, please check at

Also please check the white paper and Q&A section.



CreatePlease login to create content