Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

IOS IPS configuration

Hi all,

I am implementing IOS IPS on a 3800 router but I am not sure if when I enable it all the previous TCP sessions already active across the router will be dropped by the inpsect (because the IPS never saw when all those sessions started).

Any comments are really apreciated..

Community Member

Re: IOS IPS configuration


When IPS is enabled, L7 IPS will not scan packets for previously opened TCP sessions, so the sessions will be unaffected.

Atomic-ip, which is stateless, isn't session-aware and thus scans packets for

previously opened sessions and newly opened sessions the same.

I still suggestion you to turn on IPS when the traffic is low and if possible, try it out on a lab router.



Community Member

Re: IOS IPS configuration

Note: IPS does drop all packets on configured interfaces when it is compiling signatures unless you disable the fail closed setting.

Even with a 3800 which is pretty hefty cpu wise compared to the other ISR's, it can take up to 20 minutes to finish a compile assuming you have about 900 sigs enabled. And, during this period cpu will be at 100%. Note that this also occurs everytime the router is rebooted.

Community Member

Re: IOS IPS configuration

Some clarifications:

1. the fail closed option by default is not configured. Default option is fail open.

2. Cisco has recommend signatures files (128MB.sdf and 256MB.sdf in 4.x signature format and has basic and advanced category (in 5.x signature format). Those are recommended starting point while configuring router based IOS IPS. It has about 300 and 500 signatures respectively.

3. If configured right, the above two set of signatures will take about 3 to 5 minutes to load and compile. And during the compilation process, the process cpu normally is high, but it wont affect data plane traffic passing the router.

Hope this helps,


CreatePlease to create content