IDS/IPS functionality in Catalyst 4500 ?

Hi,
is there an IDS/IPS functionality in Catalyst 4500 (Supervisor 6-e), or do we need to propose external IDS/IPS device?

I think cat 4500 sup 6-e does not have IDS/IPS functionality. You have to externally install it.
http://www.cisco.com/en/US/prod/collateral/modules/ps2797/ps9294/product_data_sheet0900aecd806df543_ps4324_Products_Data_Sheet.html

Similar Messages

Does PIX 515 Support IDS/IPS?

Recently I need to provide a firewall solution to my customer. I would like to propose Cisco PIX 515E to my customer. I knwo Cisco has a separate IDS (Intrusion Detection System) appliance, they didnt put too much effor into this category for their PIX firewall.
Anyhow, does the pix support IPS (Intrusion Prevention System) and IDS?

The pix does have some ids built-in. It's a small subset of the IDS/IPS signatures offered by the appliances. The signature ID's are kept the same across hardware (so signature ID 1000 on a pix is the same signature as on an IDS/IPS appliance).
You add IDS functionality on the pix via "ip audit xxx" commands.
PIX OS 6.3:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a9.html
PIX OS 7.1:
http://www.cisco.com/en/US/products/ps6120/products_command_reference_chapter09186a00805fb9f7.html
(The 7.1 docs have a nice table of what signatures are supported natively by pis OS)
Those two links should provide you and overview of the IDS/IPS functionality and signatures available on the PIX itself.

High CPU with error "%ADJ-3-RESOLVE_REQ:" in Catalyst 4500-X VSS after making L3 function (static routing)

We have a VSS based on 2x WS-C4500X-16., The VSS is used as Layer 2 Switch for diffrents Vlan in our DC.
After making the VSS as a Layer 3 gateway for our production VLAN and added 2 routes for routing purposes, we encountered a network down time with high CPU in the VSS and a huges log messages :
.May 14 12:11:25.947: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.2.7.22 Vlan100
.May 14 12:11:34.516: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.2.7.22 Vlan100
.May 14 12:11:40.072: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.1.1.254 Vlan100
.May 14 12:11:49.682: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.2.1.253 Vlan100
.May 14 12:11:55.079: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.1.1.254 Vlan100
.May 14 12:12:00.926: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.2.7.40 Vlan100
.May 14 12:12:06.701: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.2.8.32 Vlan100
.May 14 12:12:12.624: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.2.7.40 Vlan100
.May 14 12:12:21.627: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.2.7.40 Vlan100
.May 14 12:12:32.261: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.2.8.32 Vlan100
.May 14 12:12:41.801: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.2.2.105 Vlan100
.May 14 12:12:49.633: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.2.1.253 Vlan100
.May 14 12:12:54.831: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.1.1.254 Vlan100
.May 14 12:12:59.960: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.1.1.254 Vlan100
.May 14 12:13:08.745: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.2.1.253 Vlan100
.May 14 12:13:16.138: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.2.1.253 Vlan100
.May 14 12:13:22.393: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.2.1.253 Vlan100
.May 14 12:13:31.415: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.2.1.141 Vlan100
.May 14 12:13:38.944: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.2.2.215 Vlan100
.May 14 12:13:45.972: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.2.1.253 Vlan100
Bellow are the show version of our VSS,
Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software (cat4500e-UNIVERSALK9-M), Version 03.04.00.SG RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Wed 05-Dec-12 04:38 by prod_rel_team
ROM: 15.0(1r)SG10
S_C4500X_01 uptime is 33 weeks, 1 day, 14 minutes
Uptime for this control processor is 33 weeks, 1 day, 16 minutes
System returned to ROM by power-on
System restarted at 11:59:10 UTC Tue Sep 24 2013
Running default software
Jawa Revision 2, Winter Revision 0x0.0x40
Last reload reason: power-on
License Information for 'WS-C4500X-16'
License Level: ipbase Type: Permanent
Next reboot license Level: ipbase
cisco WS-C4500X-16 (MPC8572) processor (revision 9) with 4194304K/20480K bytes of memory.
Processor board ID JAE173303CF
MPC8572 CPU at 1.5GHz, Cisco Catalyst 4500X
Last reset from PowerUp
4 Virtual Ethernet interfaces
32 Ten Gigabit Ethernet interfaces
511K bytes of non-volatile configuration memory.
Configuration register is 0x2101
Can you help please,

Hi,
thanks for your reply, but there is no hsrp configured, just an interface vlan. with 2 static routes and the problem was there for more than an hour before we decided to rollback.
Is there a BugId with this problem in Cisco DataBase.
here is a show ip route
S_C4500X_01# show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 10.2.1.253 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.2.1.253
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/8 is directly connected, Vlan100
L 10.1.1.250/32 is directly connected, Vlan100
172.31.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.31.0.0/16 is directly connected, Vlan120
L 172.31.0.1/32 is directly connected, Vlan120
S 192.1.0.0/16 [1/0] via 10.1.1.254
and the show ip cef:
_C4500X_01# show ip cef
.May 14 12:13:57.859: %ADJ-3-RESOLVE_REQ: Adj resolve request: Failed to resolve 10.2.1.158 Vlan100 f
Prefix Next Hop Interface
0.0.0.0/0 10.2.1.253 Vlan100
0.0.0.0/8 drop
0.0.0.0/32 receive
10.0.0.0/8 attached Vlan100
10.0.0.0/32 receive Vlan100
10.1.1.6/32 attached Vlan100
10.1.1.17/32 attached Vlan100
10.1.1.40/32 attached Vlan100
10.1.1.41/32 attached Vlan100
10.1.1.50/32 attached Vlan100
10.1.1.60/32 attached Vlan100
10.1.1.99/32 attached Vlan100
10.1.1.121/32 attached Vlan100
10.1.1.122/32 attached Vlan100
10.1.1.124/32 attached Vlan100
10.1.1.125/32 attached Vlan100
10.1.1.126/32 attached Vlan100
10.1.1.225/32 attached Vlan100
10.1.1.227/32 attached Vlan100
10.1.1.250/32 receive Vlan100
10.1.1.254/32 10.1.1.254 Vlan100
10.2.1.3/32 attached Vlan100
10.2.1.4/32 attached Vlan100
10.2.1.6/32 attached Vlan100
10.2.1.8/32 attached Vlan100
10.2.1.9/32 attached Vlan100
10.2.1.18/32 attached Vlan100
10.2.1.23/32 attached Vlan100
10.2.1.24/32 attached Vlan100
Prefix Next Hop Interface
10.2.1.26/32 attached Vlan100
10.2.1.28/32 attached Vlan100
10.2.1.29/32 attached Vlan100
10.2.1.31/32 attached Vlan100
10.2.1.103/32 attached Vlan100
10.2.1.108/32 attached Vlan100
10.2.1.109/32 attached Vlan100
10.2.1.124/32 attached Vlan100
10.2.1.129/32 attached Vlan100
10.2.1.137/32 attached Vlan100
10.2.1.139/32 attached Vlan100
10.2.1.143/32 attached Vlan100
10.2.1.144/32 attached Vlan100
10.2.1.159/32 attached Vlan100
10.2.1.167/32 attached Vlan100
10.2.1.174/32 attached Vlan100
10.2.1.175/32 attached Vlan100
10.2.1.176/32 attached Vlan100
10.2.1.181/32 attached Vlan100
10.2.4.38/32 attached Vlan100
10.2.4.39/32 attached Vlan100
10.2.4.43/32 attached Vlan100
10.2.4.47/32 attached Vlan100
10.2.4.51/32 attached Vlan100
10.2.4.63/32 attached Vlan100
10.2.4.65/32 attached Vlan100
10.2.4.69/32 attached Vlan100
10.2.4.71/32 attached Vlan100
10.2.4.73/32 attached Vlan100
10.2.4.102/32 attached Vlan100
10.2.4.106/32 attached Vlan100
10.2.4.107/32 attached Vlan100
10.2.4.113/32 attached Vlan100
10.2.4.116/32 attached Vlan100
10.2.4.119/32 attached Vlan100
10.2.4.120/32 attached Vlan100
10.2.4.122/32 attached Vlan100
10.2.4.141/32 attached Vlan100
10.2.4.148/32 attached Vlan100
10.2.6.7/32 attached Vlan100
Prefix Next Hop Interface
10.2.6.16/32 attached Vlan100
10.2.6.31/32 attached Vlan100
10.2.7.14/32 attached Vlan100
10.2.7.22/32 attached Vlan100
10.2.7.24/32 attached Vlan100
10.2.7.34/32 attached Vlan100
10.2.7.37/32 attached Vlan100
10.2.7.41/32 attached Vlan100
10.2.7.48/32 attached Vlan100
10.2.8.18/32 attached Vlan100
10.2.8.32/32 attached Vlan100
10.2.8.59/32 attached Vlan100
10.2.8.70/32 attached Vlan100
10.2.8.85/32 attached Vlan100
10.2.8.88/32 attached Vlan100
10.2.8.104/32 attached Vlan100
10.2.8.135/32 attached Vlan100
10.2.99.10/32 attached Vlan100
10.2.99.54/32 attached Vlan100
10.255.255.255/32 receive Vlan100
127.0.0.0/8 drop
172.31.0.0/16 attached Vlan120
172.31.0.0/32 receive Vlan120
172.31.0.1/32 receive Vlan120
172.31.0.5/32 attached Vlan120
172.31.0.29/32 attached Vlan120
172.31.255.255/32 receive Vlan120
192.1.0.0/16 10.1.1.254 Vlan100
224.0.0.0/4 drop
224.0.0.0/24 receive
Prefix Next Hop Interface
240.0.0.0/4 drop
and show ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.1.1 0 aa00.0400.c286 ARPA Vlan100
Internet 10.1.1.6 0 0050.5689.24b8 ARPA Vlan100
Internet 10.1.1.10 0 0050.5694.7d20 ARPA Vlan100
Internet 10.1.1.11 0 0050.5694.7d20 ARPA Vlan100
Internet 10.1.1.12 0 0050.5694.6ae7 ARPA Vlan100
Internet 10.1.1.13 0 0050.5694.6ae7 ARPA Vlan100
Internet 10.1.1.14 0 0050.568a.6321 ARPA Vlan100
Internet 10.1.1.16 0 0050.5694.0ab5 ARPA Vlan100
Internet 10.1.1.17 0 0050.5694.493d ARPA Vlan100
Internet 10.1.1.40 0 0013.19b0.9c40 ARPA Vlan100
Internet 10.1.1.41 0 1c17.d35a.c840 ARPA Vlan100
Internet 10.1.1.50 0 0002.b9b4.a5c0 ARPA Vlan100
Internet 10.1.1.60 0 000a.410f.e500 ARPA Vlan100
Internet 10.1.1.71 - 0008.e3ff.fc28 ARPA Vlan100
Internet 10.1.1.96 0 e02f.6d12.4df3 ARPA Vlan100
Internet 10.1.1.98 0 0050.5696.6d86 ARPA Vlan100
Internet 10.1.1.99 0 0050.5696.6d88 ARPA Vlan100
Internet 10.1.1.121 0 e02f.6d12.4dea ARPA Vlan100
Internet 10.1.1.122 0 e02f.6d12.4e61 ARPA Vlan100
Internet 10.1.1.123 0 e02f.6d5b.c10e ARPA Vlan100
Internet 10.1.1.124 0 e02f.6d17.c869 ARPA Vlan100
Internet 10.1.1.125 0 e02f.6d5b.c217 ARPA Vlan100
Internet 10.1.1.126 0 e02f.6d17.c8ec ARPA Vlan100
Internet 10.1.1.127 0 e02f.6d17.c876 ARPA Vlan100
Internet 10.1.1.128 0 e02f.6d5b.bef3 ARPA Vlan100
Internet 10.1.1.202 0 0000.85b7.9031 ARPA Vlan100
Internet 10.1.1.222 0 000f.f84d.2ca9 ARPA Vlan100
Internet 10.1.1.225 0 000f.f84d.3963 ARPA Vlan100
Internet 10.1.1.227 0 00c0.ee26.9367 ARPA Vlan100
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.1.250 - 0008.e3ff.fc28 ARPA Vlan100
Internet 10.1.1.254 0 0000.0c07.ac07 ARPA Vlan100
Internet 10.2.1.2 0 0011.4333.bcda ARPA Vlan100
Internet 10.2.1.3 0 0050.5689.5d38 ARPA Vlan100
Internet 10.2.1.4 0 0050.5689.0404 ARPA Vlan100
Internet 10.2.1.6 0 0050.5689.6d3b ARPA Vlan100
Internet 10.2.1.7 0 1cc1.def4.6940 ARPA Vlan100
Internet 10.2.1.8 0 0050.5689.330e ARPA Vlan100
Internet 10.2.1.9 0 0012.793a.3ccc ARPA Vlan100
Internet 10.2.1.10 0 0012.7990.e5d3 ARPA Vlan100
Internet 10.2.1.13 0 0050.568a.6dcf ARPA Vlan100
Internet 10.2.1.15 0 0050.568a.60ff ARPA Vlan100
Internet 10.2.1.18 0 0050.5689.091b ARPA Vlan100
Internet 10.2.1.20 0 0050.5689.451c ARPA Vlan100
Internet 10.2.1.21 0 0050.568a.0cf4 ARPA Vlan100
Internet 10.2.1.22 0 0050.5689.6c59 ARPA Vlan100
Internet 10.2.1.23 0 0050.5696.6d9e ARPA Vlan100
Internet 10.2.1.24 0 0050.5689.76c4 ARPA Vlan100
Internet 10.2.1.26 0 0050.5689.2f4e ARPA Vlan100
Internet 10.2.1.27 0 0050.5689.0632 ARPA Vlan100
Internet 10.2.1.28 0 0050.5689.1ce9 ARPA Vlan100
Internet 10.2.1.29 0 0050.5689.6aaa ARPA Vlan100
Internet 10.2.1.31 0 0050.5689.0d1a ARPA Vlan100
Internet 10.2.1.37 0 0050.5696.6d81 ARPA Vlan100
Internet 10.2.1.103 0 d4be.d9be.8eef ARPA Vlan100
Internet 10.2.1.106 0 14fe.b5e1.c595 ARPA Vlan100
Internet 10.2.1.107 0 0023.ae7d.a966 ARPA Vlan100
Internet 10.2.1.108 0 d4be.d9c8.6770 ARPA Vlan100
Internet 10.2.1.109 0 14fe.b5e9.c5b5 ARPA Vlan100
Internet 10.2.1.110 0 14fe.b5ea.5f9d ARPA Vlan100
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.2.1.111 0 001e.c959.d4f0 ARPA Vlan100
Internet 10.2.1.114 0 b8ac.6f48.4538 ARPA Vlan100
Internet 10.2.1.115 0 14fe.b5e1.ed89 ARPA Vlan100
Internet 10.2.1.116 0 7845.c409.1959 ARPA Vlan100
Thanks
Lotfi

WLC 4400 and IDS/IPS

One of my clients is keen to know the IDS/IPS capabilities with WLC 4400. Any hints? Also can anyone explain IDS sensor to me? Thank you.

There are a number of IDS capabilities that are highlighted regarding the WLC. Unfortunately, you will find that the product continues to suffer from ongoing false positives and a severe lack of documentation (and support) for the IDS.
For example, if you utilize containment against a rogue AP (which is used to prevent users from attaching to the rogue), the system detects its own containment messages as a denial of service attack. The system is not intelligent enough to know that it is the source of these messages and ignore them.
Initially, Cisco flagged these false positive as "cosmetic" and claimed that to fix them required a "feature request that must be run through the Cisco sales team" which we did in the spring of 07. Cisco has be VERY slow in coming around on getting these fixed (it has been well over a year since these have been documented and they are still not resolved in the current version of 4.2).
The Wireless IDS system is also famous for other false alarms which Cisco TAC has linked to alarming on normal behavior when a client goes out of range and a string of deauthentication messages is sent to make sure that the conversation has ended. The WLC 4.2 continues to flag these as false-positive denial-of-service attacks even though the IDS parameters could be adjusted (from the factory) to account for the known 64 repeated deauths that are sent.
The IDS file is capable of "tuning" but the parameters are very lightly documented. In fact, the IDS parameter file itself had the least sparse version of documentation and it is a text file only 200-lines long.
In terms of determining if a rogue AP is on-wire. This functionality does not work reliably (not just if there is no path on the wired network to the controller which is understandable) but even if the rogue AP is on the same subnet as the controller. It just plain does not work.
If you are attempting to determine if there are clients on the rogue AP, this mechanism works with limited success since the AP has to catch the client attaching during its brief scan interval. This results in misleading information.
There are other false alarms that appear to be related to a specific chipset (using the OUI / first octet of the MAC address). However, there has been very little movement on Cisco's part in getting resolution to getting these anomalies addressed. The basic attitude has been "if we didn't see it in our lab in San Jose when we wrote the code, there's nothing we can do". Since the IDS lacks any ability to "phone home" (sending the alarms it is seeing to the development team) they end up having to develop in a relatively limited environment.
For more information, please reference the following:
Wireless LAN Controller IDS Signature Parameters
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a008063e5d0.shtml
I would send you the link to some of the bugs, such as CSCsj06015, CSCsh35010, CSCsk60655, etc. but the Cisco bug tool ( http://tools.cisco.com/Support/BugToolKit/ )is currently not working (no doubt the system is getting overworked). Maybe the site will be up when you read this.
In the interest of fairness, there have been efforts over the past year by Cisco to address these false alarms and a number of them appear to finally be resolved.
Bottom line: In my opinion, the wireless IDS is still not ready for prime time. To quote my customer, "I just can't trust it". Unless you set your customer's expectations fairly low, you will both end up disappointed.
That said, the product itself still has many compelling reasons to implement it including ease of installation and management. If you are willing to wade through the various bugs in the IDS and WCS it still is the best game in town.
- John

HA for Cisco IDS/IPS 42xx appliances

Can anyone refer me to documentation on the Cisco site that talks about high-availability options and configuration examples for Cisco IDS/IPS 42xx appliances? Thank you in advance.

I am also interested in understanding the high availability options.
I found the following in the IPS V5 datasheet:
Auto and manual sensor bypass configuration-High availability can be achieved through numerous mechanisms for Cisco IPS sensors. Resiliency and redundancy can be delivered through unique network collaboration, for example, hot Standby Router Protocol (HSRP) configuration and Cisco EtherChannel® load balancing on Cisco Catalyst switches to divert traffic to a secondary IPS device upon the failure of a primary device.
I would like to have more info about how to divert traffic to a secondary IPS device; info about HSRP and EtherChannel load balancing as it relates to IPS. Is this HA option only available in bypass mode? Thanks.

SQL Injection detection with IDS/IPS on cisco ASA?

Hi
Is it possible to detect or prevent SQL injection attacks using Cisco IDS/ IPS on ASA or with regular expressions?
Is there any signature available in IDS/IPS for this? And how effective it is in terms of generating correct alarms?
Thanks in advance

Deepak,
We have several signatures that detect generic SQL injection attacks in the 5930-x family of signatures.

Catalyst 4500 Ethernet and fibre channel passthru

dear sir,
anyone have any idea / documentation showing that the belows device 1.) & 2.) can support Ethernet and fibre channel passthru ? thanks.
1.) WS-X4424-GB-RJ4 (Catalyst 4500 24-port 10/100/1000 Module (RJ45)
2.) WS-X4306-GB (Catalyst 4500 Gigabit Ethernet Module, 6-Ports (GBIC)

You're welcome. Check below for the module info. And there is description about support of fibre channel passthru.
http://www.cisco.com/en/US/products/hw/switches/ps4324/products_data_sheet0900aecd802109ea.html
You can also seach Cisco web for more info.
Hope this helps.

Cisco CSM - Has anyone deployed it in their environment for IDS/IPS devices

We are an MSP and are evaluating Cisco CSM to manage about 50 IDS/IPS devices. Each of these devices has their own customer signature policy.
Does anyone use it in their production environments? Do you find it useful?
Regarding policy management for devices that already have a signature policy, I know you can discover the policy, what we want to do is take the current discovered policy, modify it if we need to and then re-deploy it to the device. I'm finding that this is all read only once the policy is discovered.
Is there a way to modify the signature, for example, adding a logging parameter and then re-deploy?
Just curious if others had similar experiences with CSM.
Thanks!

haxworthy,
I currently use CSM to manager a variety of IPS devices (IOS IPS, 42xx Sensors, 65xx-series blades). The policies vary on some devices. CSM works wonderfully. CSM discoveries the various policies on the device on an individual basis. Policies can then be edited on a per-sensor basis or on a group level. Has worked wonderful in our environment. A nice upgrade from the old IPSMC. Let me know if you have any other questions.
-Mike
http://cs-mars.blogspot.com

Trunking on Nexus 5000 to Catalyst 4500

I have 2 devices on the each end of a Point to Point. One side has a Nexus 5000 the other end a Catalyst 4500. We want a trunk port on both sides to allow a single VLAN for the moment. I have not worked with Nexus before. Could someone look at the configurations of the Ports and let me know if it looks ok?
nexus 5000
interface Ethernet1/17
description
switchport mode trunk
switchport trunk allowed vlan 141
spanning-tree guard root
spanning-tree bpdufilter enable
speed 1000
Catalyst 4500
interface GigabitEthernet3/39
description
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 141
switchport mode trunk
speed 1000
spanning-tree bpdufilter enable
spanning-tree guard root

Thanks guys, we found the issue. The Catalyst is on my side and the Nexus is on the side of the hosting center. The hosting center moved his connection to a different Nexus 5000 and the connection came right up. We dropped the spanning-tree guard root.
It was working on the previous nexus when we set the native vlan for 141. So we thought it was the point to point dropping the tags.
The hosting center engineer this it might have to do with the VPC Peer-Link loop prevention on the previous Nexus.
Anyway it is working the way we need it to.

WS-X4306-GB - Catalyst 4500 6-port GBIC Module & FC Tape Libraries

WS-X4306-GB - Catalyst 4500 6-port GBIC Module & FC Tape Libraries
I have several Tape Autoloader Libraries from Dell which have Fibre Channel interfaces. I have loop switches that these connect to today. I also have a Catalyst 4506 with a WS-X4306-GB - 6-port GBIC Module. I would like to use the X4306 as a loop switch. Some of the libraries can also connect via point-to-point FC.
Can this be done? If yes, how do I start in making this happen?
Thank You.

Sorry but the Catalyst 4500 does not support Fibre Channel connections on the WS-X4306-GB (or on any card). It's strictly an Ethernet switch. Reference
To mix and match Ethernet and FC interfaces, you'd have to be on a new platform like the Nexus 5k series - specifically the UP (Unified Port) variants.

QoS trust dscp or cos on catalyst 4500

We have a 4510R with Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software cat4500e-UNIVERSALK9-M), Version 03.05.02.E RELEASE SOFTWARE (fc1).
I want use qos trust dscp or qos trust cos on the interface conected to other cisco switch or wlan controller.
The current IOS version, do not support qos trust dscp:
SW(config)#interface gi10/16
SW(config-if)#qos tr
SW(config-if)#qos trust ?
device trusted device class
extend Extend trust through a connected device
SW(config-if)#qos trust device ?
cisco-phone   Cisco IP Phone
cts           Cisco-telepresence
ip-camera     Cisco video surveillance camera
media-player Cisco Digital Media Player
SW(config-if)#qos trust device
What is the software that I need for this?. I tried with command lookup tool but the cat4500 do not appears.

That is even new for me.
I did a search and found that, now a days you no longer have to provide the Trust DSCP command, it is by default trusted.
Went through this White Paper and excerpts are below:
http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-4500-series-switches/white_paper_c11-539588.html
The answer to your question comes from the following excerpt :-
"Previously supervisor engines relied on “port trust” to classify traffic; however, this does not fall into the MQC CLI construct. MQC provides a more flexible capability, i.e. all traffic is trusted by default, an administrator can change this trust state using a policy map. Another difference is the “internal DSCP” value used within the switch to place packets in the proper queue.
Cisco Catalyst 4500E Supervisor Engines do not use “internal DSCP”; rather, it relies on explicit matching of QoS values using class maps so that packets can be placed in the correct queue.
Also, note that there is no specific priority queue: it is not queue 3 or queue 1. The priority queue is simply configured within a class; therefore, it is not tied to a specific queue. One final difference is that of classification. Cisco Catalyst 4500E Supervisor Engines provide sequential classification rather than parallel. This allows the network administrator to classify traffic at egress based on the ingress markings. These markings can be done unconditionally, using a policer or using a table map. Based on these changes, QoS CLI will now be more contiguous on the Supervisor Engines as it will now have standard Cisco MQC CLI, making configuration management much simpler"
HTH,
Please rate all helpful posts.
Regards

Catalyst 4500-X, VSS, and SVI

Hello, everybody!
I have a proyect to implement the feature VSS, with two catalyst 4500-X, it will be the layer Core/Distribution.
So, I want integrate in the catalyst 4500X, Inter vlan routing (SVI) and vtp domain, in the layer access, we´ll have SW 3750-X with PoE.
Is possible configure SVI in my catalyst 4500-X. to separate traffic across VLANs. and the routing will be in the 4500X too. ???
My customer does not have sufficient space to mount the serie 4500E in the Rack, so he prefer the 4500-X.
Help me!
Thanks!
Regards

Hi,
Is possible configure SVI in my catalyst 4500-X. to separate traffic across VLANs. and the routing will be in the 4500X too. ???
Yes, there is no different between a VSS pair and non-VSS when it comes to SVI and inter-vlan routing. It works the same way as if the 4500-X ware separate.
HTH

Filtering IPs on a IDS/IPS signature

Forgive me, I am pretty green when it comes to manipulting IDS/IPS signatures.
Is there a way to filter an IP or subnet from a IDS/IPS signature?
Senario:
We have 2 ASAs with IPS modules and 2 4260 IDS's, we use IPS Manager Express 6.1 to manage them. I keep getting a mail server that is triggering signature 5748-x because its sending a helo verb instead of a noop. This is fine for this paticular mail server. So i would like to remove its IP or filter its IP from the signature so when this happens the signature doesnt fire. However I dont want to disable the signature in case it happens somewhere else.
any help is greatly appreciated.
e-

It's not really too bad. I would encourage you to read still though;-)
Each signature can be configured with any number of actions. by default, a lot of them have the "product alert" action.
event action filters are basically a way to suppress all or some actions based on various criteria, like sigid and source (attacker) ip address. I've attached an example.

Catalyst 4500 Hi CPU

Hi,
I have an issue with a Catalyst-4500 (4507R-E, ipbase, 12.2.46SG), that is running very hi CPU since some days:
By investigating, I observed a couple of processes that are realy CPU-consuming:
I don't know where to look ...
Some help and/or some suggestion ?
Best regars,
Claudio

Two good resources for troubleshooting high CPU on the 4K
High CPU Utilization on Cisco IOS Software-Based Catalyst 4500 Switches
http://www.cisco.com/c/en/us/support/docs/switches/catalyst-4000-series-switches/65591-cat4500-high-cpu.html
Troubleshooting High CPU on the Catalyst 4500-E Series Switch
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/troubleshooting/cpu_util.html
HTH
Luke

Catalyst 4500, scp, rcp

Does anybody know is it possible to set up a remote access to the Catalyst 4500 series switch thru the rcp or scp protocol? I want to start commands on the remote unix server. Like unix# scp -i identity -B acl.file user@catalyst:system:running-config or unix# rcp acl.file user@catalyst:system:running-config, where acl.file is the file with access-list. It's important to start commands on the remote server, not on the switch. Thanks for any advice.

Hello,
I just tried this on a Cat 4500 using tftp, and successfully changed its hostname, and added a new ACL.
The same should be true for rcp and scp.
Just remember to put "end" as the last line of the file, otherwise you will get a %PARSER-4-BADCFG: Unexpected end of configuration file message (but it still works).
This was tried on Version 12.2(25)EWA4.
Hope this helped,
Michael.

IDS/IPS functionality in Catalyst 4500 ?

Similar Messages

Maybe you are looking for