12-22-2007 12:10 PM - edited 03-10-2019 03:54 AM
Dear Netpro,
If i configure the IPS in IDS mode (Promis)
then which utility or application from cisco to monitoor the IDS for the events.
Thanks
swami
12-23-2007 07:54 AM
You can configure the IPS in IDS mode but you stil will have the management interface to control the IPS.
The integrated event managers with the IPS can still be used to monitor the events
The IEV (IPS event viewer) is generally prefereed for monitoring IPS events
http://www.cisco.com/cgi-bin/tablebuild.pl/ids-ev
HTH
Narayan
12-24-2007 05:32 AM
Dear Narayan,
Thanks for your help.
Let me explain the current customer setup.
There are 2 numbers of edge 3560 in-line power switches connected to the core 4507R with DOT1Q trunk. The edge switch ports all configured with both data and voice vlans (VLAN 2 for Data and VLAN 9 for Voice)
The trunk link carries these 2 vlans plus the mgmt vlan 8.
In this setup i need to implement the IPS in IDS mode.
Please explain me the steps to complete the installation.
I plained to create the RSPAN and connected the IDS in the 2nd switch.
Please narayan i need to know more about the setup procedures.
Thanks
swami
12-24-2007 06:24 AM
Can you also let us know what traffic are you intending to receive on the IPS?
All traffic hitting the 45XX?
Narayan
12-25-2007 04:18 AM
Narayan,
The core switch 45xx connected to the edge 3560 via dot1q trunk carrying voice vlan 9 and data vlan 2. Now the IPS has to be placed in this vlan 2 to monitor and block the events
of the traffic going to internet. The main user traffic is web and getting from internet the mail (port 25) via iron mail and OWA (port 443). These 2 ports have been opened in the ASA edge firewall.
I like to install the IPS as inline mode. Could you expalin me how can i connect the inline pair via trunk port.
Thanks
swami
12-26-2007 01:50 AM
Your initial post says that you need to use the IPS in IDS(promiscuous mode)
In this case you can connect the IPS on the 4500 and configure spanning in such a way that it passes only vlan 2 traffic to the IPS
monitor session 1 source interface
monitor session 1 destination interface
I am not sure whether we can monitor only a specific subnet on the IPS when it is in inline mode.
HTH
Narayan
12-26-2007 03:25 AM
Narayan,
I already connected one vlan in IDS mode. Now i need to use inine for another vlan (vlan 2).
For IDS config i used the monitor session cmd on the switch and IEV as the event monitour App.
But in inline mode how can we prevent the vlan 2 to access the gateway L3 before passing to the IPS.Also those 2 edge switches in vlan 2 each separately trunked to the core switch.
Thanks
swami
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: