Cisco Support Community
Community Member


i have been trying to find these answers in some documentation on the website but i can not find it anywhere. i have a 3725 router with an atm interface for our internet connection and a fastethernet interface for the internal network. i can only place the ethernet interface in the sensing group and i'm most concerned about all traffic that enters the router. at what point does the ids sensor that is in this router monitor the packets that come in from the internet? is it as per below or not? I am also not sure how we can get any alarms sent to us from this device. any documentation appreciated.




Cisco Employee


There are 5 interfaces you are concerned with rather than just 2.

There are the the 3 interfaces of the router itself.

The first 2 you already know are the ATM interface and FastEthernet interface that you have already configured for routing. Within in the router configuration you will designate one of these interfaces as being the interface to monitor with the "ids-service-module monitoring" command.

The 3rd router interface is an internal router interface. It is connected to an internal interface of the NM-CIDS module.

It is a fast ethernet interface used as a loopback interface. You will need to assign a dummy ip address to it. More information can be found in the Config guide.

The other 2 interfaces are the interfaces of the NM-CIDS module itself.

The first interface is the internal interface connected to the internal loopback interface of the router. This is also a fast ethernet interface. In the configuration of the sensor it is this internal fast ethernet interface that is being added to the sensing group.

The other interface on the NM-CIDS module is the command and control interface. It is the external NIC on the module. You assign an ip address to this interface with the setup command. You will then use either IEV, CTR, or VMS (IDS MC and SecMon) to connect to this IP Address for configuration of the NM-CIDS and monitoring of the alarms.

IEV = Intrusion Detection Event Viewer

CTR = Cisco Threat Response

VMS = VPN and Security Management Solution

IDS MC = IDS Management Center (a utility within VMS)

SeMon = Security Monitoring Center (a utility within VMS)


Now to some monitoring specifics.

I believe you can use the "ids-service-module monitoring" command on the ATM interface, though I have never tried it myself.

Assuming you can then the router will take the packets in from the ATM interface and do some intial analysis (ACLs, VPN, NAT). The packet will then be copied to the internal loopback interface of the router. At the same time the packet goes through further processing and is sent out the normal ethernet router interface.

When the copy of the packet goes to the internal loopback interface of the router, it is sent to the internal fastethernet interface of the NM-CIDS. The packet is then analyzed and any alarms are generated.

The packets coming in from the internal network to the fastethernet interface of the router go through the same process and are copied to the internal interface of the router, sent to the internal fastethernet interface of the NM-CIDS and monitored.

When there are only 2 router interfaces, it doesn't matter a whole lot which interface you place the "ids-service-module monitoring" command on. Since all packets routed between the interfaces will be monitored.

The only difference will be in packets directed to one of the router ip addresses. If you monitor the ATM interface then the NM-CIDS should see packets with a destination ip of the address assigned to the ATM interface, but not packets with an ip addressed to the fastethernet interface's ip address. And vice versa for the fastethernet interface. So it is only these packets directed to the router itself (rather than the packets routed through the router) that will depend on the interface being monitored.

With a 3 or more port router things will change a little bit. When you monitor one interface then the NM-CIDS will see packets routed in and out of that one interface from either of the other 2. Packets routed strictly between the 2 interfaces not being monitored will not be seen by the NM-CIDS.


Now for some links to docs you should read:

A design guide to provide even more insight to what I stated above:

A link to the current configuration documentation for the NM-CIDS and other IDS products:

The Installation and Configuration guide you should start with:

The specific chapter pertaining to NM-CIDS:

CreatePlease to create content