I have a customer that I am implementing IDS's to monitor several parts of their network and I am running into a small design problem.
The customer has a network that is highly redundant. Example of this is causing a problem of how to or where to place the IDS's. They have two seperate connections to the Internet on two seperate routers. These routers are connected to two seperate cat2950 switches that are connected via FastEthernetChannel. These two switches each has a connection into a PIX (one Primary and one Failover).
Now the problem. I can connect the IDS to the switch that has the connection to the primary PIX and monitor that port, but the customer wants to be able to monitor the other PIX without having to move the patch cable for the IDS from the first switch to the second. I did try to have a monitor port in the second switch connect back to the primary switch and monitor that port as well, but there was a sudden blasting of traffic on the primary switch when I made the connection.
Any thoughts on how to configure the switches? Or other thoughts to add a switch for the monitoring?
I'm sure there are more than a couple of solutions here. One such is to use two sniffing interfaces on a Cisco IDS sensor. You can run two instances of a sensor on the same piece of hardware. You can have one sniffing interface monitor traffic on the 1st 2950 and have the second sniffing interface monitor traffic on the 2nd 2950.
Current IDS software (4.1) does support multiple sensing interfaces that would let you monitor both pix's. This would be done with 1 instance of the sensor doing the monitoring. Mutliple instances of the sensor are not supported at this time.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...