Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
wkw
Community Member

Deploying Cisco IDS 42xx appliance with network taps

Hi all,

Anyone have any experiences deploying IDS 42xx appliances (e.g. 4235 and 4215) with network taps (e.g. Finisar UTP Tap IL/1)? I deployed several of the IDS appliance some months back using the Finisar taps, and thought everything was working well, till i found out that i'm only capturing one side of the traffic, due to the nature of the taps! It would seem that I need to put in another network card on the IDS appliance (a Cisco 4235), but is that possible?? Is there a way I can turn on channel bonding or Etherchannel on the 4235 appliance?

The last option I can think of if the above ideas are not possible is to put in another switch and mirror the two ports coming from the tap, but that doesn't look good to the final cost..

Suggestions are most welcomed!!

thanks

Wei Kian

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Deploying Cisco IDS 42xx appliance with network taps

Monitoring network taps with a Cisco IDS appliance is not officially supported by Cisco.

With that said, howewever, several customers have been successfully deploying with Taps.

Taps as you've seen have 2 outputs.

If the Tap is placed on the connection between machines A and B, one of the outputs will be for traffic from A to B, and the other will be for traffic from B to A.

To monitor the Tap, the sensor will need to see both outputs.

You could do this by connecting the taps to a switch, and then spanning the 2 ports to the monitoring port of the IDS sensor.

Or you may be able to use a second interface on the sensor itself.

The IDS-4235, IDS-4250, and IDS-4215 are able to be upgraded with a 4 port 10/100 card, giving you a total of 5 sniffing ports.

If the connection you are tapping is a 10Mb, or 100Mb connection, then purchase the 4 port 10/100 card for the sensor and connect the 2 outputs from the Tap to 2 of the ports on the NIC card.

NOTE: The sensor will combine the incoming packets on all of it's interfaces and treat them as if they are part of the same network.

You just need to place all of the interfaces into "group 0" and enable "no shutdown" each sniffing interface.

Here is the part number for the 4 port 10/100 card:

IDS-4FE-INT=

Refer to the Installation guide for information on how to install the card and configure the sensor:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/hwguide/index.htm

Now if the connection you are tapping is a 1 Gig copper or fiber connection then you will need to purchase a switch to combine the 2 outputs of the taps and span to the sensor sniffing port.

Cisco does not currently offer additional Gig copper cards.

Cisco does offer a single port Gig SX fiber card for the IDS-4250 but does not currently support placing 2 of these cards in the sensor.

Cisco also does offer a dual port Gig fiber card known as the XL. The XL card has hardware acceleration for monitoring faster speeds. However, the XL card does not currently work with Taps.

So if monitoring a 10/100 connection then try the 4 port 10/100 card, but if tapping a Gig connection then you will need a switch to aggregate the 2 outputs.

What some users have also done is to just use the switch and not bothering with the Tap.

They connect machine A to the switch and machine B to the switch. Then span the traffic to the sensor port.

4 REPLIES
Cisco Employee

Re: Deploying Cisco IDS 42xx appliance with network taps

Monitoring network taps with a Cisco IDS appliance is not officially supported by Cisco.

With that said, howewever, several customers have been successfully deploying with Taps.

Taps as you've seen have 2 outputs.

If the Tap is placed on the connection between machines A and B, one of the outputs will be for traffic from A to B, and the other will be for traffic from B to A.

To monitor the Tap, the sensor will need to see both outputs.

You could do this by connecting the taps to a switch, and then spanning the 2 ports to the monitoring port of the IDS sensor.

Or you may be able to use a second interface on the sensor itself.

The IDS-4235, IDS-4250, and IDS-4215 are able to be upgraded with a 4 port 10/100 card, giving you a total of 5 sniffing ports.

If the connection you are tapping is a 10Mb, or 100Mb connection, then purchase the 4 port 10/100 card for the sensor and connect the 2 outputs from the Tap to 2 of the ports on the NIC card.

NOTE: The sensor will combine the incoming packets on all of it's interfaces and treat them as if they are part of the same network.

You just need to place all of the interfaces into "group 0" and enable "no shutdown" each sniffing interface.

Here is the part number for the 4 port 10/100 card:

IDS-4FE-INT=

Refer to the Installation guide for information on how to install the card and configure the sensor:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/hwguide/index.htm

Now if the connection you are tapping is a 1 Gig copper or fiber connection then you will need to purchase a switch to combine the 2 outputs of the taps and span to the sensor sniffing port.

Cisco does not currently offer additional Gig copper cards.

Cisco does offer a single port Gig SX fiber card for the IDS-4250 but does not currently support placing 2 of these cards in the sensor.

Cisco also does offer a dual port Gig fiber card known as the XL. The XL card has hardware acceleration for monitoring faster speeds. However, the XL card does not currently work with Taps.

So if monitoring a 10/100 connection then try the 4 port 10/100 card, but if tapping a Gig connection then you will need a switch to aggregate the 2 outputs.

What some users have also done is to just use the switch and not bothering with the Tap.

They connect machine A to the switch and machine B to the switch. Then span the traffic to the sensor port.

wkw
Community Member

Re: Deploying Cisco IDS 42xx appliance with network taps

Thanks Marcabal for your answer :-) Guess I'll check the price for the 4FE spare NIC, since i'm monitoring a 100 connection. I ran out of ports on our switch so i tried using a tap, which is suppose to be non-intrusive.

OK, a bit off the topic here.. i'm trying out the IEV and it seems to be archiving the events from the IDS properly. Does it auto-delete the events from the IDS once IEV archived it? Is it possible to view the archived event log files in a human-readable manner using the IEV or some other tools?

cheers,

woon

Cisco Employee

Re: Deploying Cisco IDS 42xx appliance with network taps

A quick note on the 4FE, you will need to be running version 4.1 to use the 4FE card. Version 4.1 is the first version to support monitoring of multiple interfaces.

As for IEV, the alarms are not auto-deleted off the sensor by IEV.

In the case of a 3.x sensor, the alarms are sent directly to IEV, but can also separately be logged on the sensor itself. When logging on the sensor itself, the sensor has it's own mechanism for managing the log files and auto deleting them.

In the case of a 4.x sensor, the alarms are pulled from the sensor by IEV, but the alarms are still available on the sensor afterwards. The alarms are placed in what is termed an EventStore. It is similar to a ciruclar file where alarms are constantly added to the end of the file until a max size is reached. Once that max size is reached the oldest alarms will be deleted as new alarms are added to the end of the file to keep it within certain size constraints.

This allows the user to go the CLI or IDM and execute a "show events" commands.

The user can specify a start time, and the CLI/IDM will show all the events since that start time.

By the same token a 4.x IEV can be configured to pull these same older events. When the sensor is added into IEV you can specify from what start time/date to begin pulling the sensor's events.

As long as the eventStore hasn't filled up and started overwriting the old events.

Both IEV 3.x and 4.x have built methods for archiving and deleting old alarms.

As the alarms in the current table get older and the table gets fuller, IEV will start up it's own archive mechanism.

The older alarms will be moved to "archive" tables.

User can select to view alarms from the archive tables by selecting those tables as the data source.

Once the room for archived tables has been filled, IEV will automatically delete the oldest archive tables. (users can also choose to delete a table)

Users also have the ability to export the alarms from a table, and later re-import that alarms.

So if you want to be able to look at old alarms, it is good practice to export the alarms from the archive tables before they are deleted.

For more information on managing the tables and exporting/importing the data refer to the following links:

For version 3.x:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids8/13877_01.htm#xtocid45

For version 4.x:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap6.htm#605308

Community Member

Re: Deploying Cisco IDS 42xx appliance with network taps

Hi,

the solution depends on which links you are working on.

1) For 10/100 you can connect tap's ports to an hub and then to the sensing interface of 4235 appliance. But you could have some problems with collisions.

2)In case of gigabit ethernet, you have to connect tap's ports to a switch (3550/3750) and then configure it for traffic mirroring.

I'm using multivendor IDS architecture, so for solution 2) I'm using a catalyst 3750 that can mirror traffic on multiple destination ports.

On these ports I attached a 4235 and a Snort sensor.

HTH,

Massimo.

331
Views
0
Helpful
4
Replies
CreatePlease to create content