IOS IPS/IDS on a BGP Peering Router?

Similar Messages

• How many BGP peers does the 3548 switch support?

  Is it possible to run more than 40 peers on a single switch? What is the limitation if not?

  Hi ,
   You can have 40 BGP peers , IPV4 unicast routes handled by hardware is only 24000 .Enusre all your BGP peering routing updates is within this limits . 
  http://www.cisco.com/c/en/us/products/collateral/switches/nexus-3548-switch/data_sheet_c78-707001.html
  Table 7. Hardware Specifications Common to Both Switches
  Mode
  Normal Mode
  Warp Mode
  Hardware tables and scalability
  Number of MAC addresses
  64,000
  8000
  Number of IPv4 unicast routes
  24,000
  4000
  Number of IPv4 hosts
  64,000
  8000
  Number of IPv4 multicast routes
  8000
  8000
  Number of VLANS
  4096
  Number of ACL entries
  4096
  Number of spanning-tree instances
  Rapid Spanning Tree Protocol (RSTP): 512
  Multiple Spanning Tree (MST) Protocol: 64
  Number of EtherChannels
  24
  Number of ports per EtherChannel
  24
  Buffer size
  6 MB shared among 16 ports; 18 MB total
  Boot flash memory
  2 GB
  HTH
  Sandy

• Correct procedure to update IOS IPS signatures on 2911 router

  What is the correct procedure to update the IOS IPS signatures on an 2911 router?
  I know how to download the signatures file (eg. IOS-S556-CLI.pkg) but what is the correct way to install the update?
  Thank you in advance!

  The IPS signature package comes with a list of pre-enabled signatures, hence Cisco does not recommend enabling a lot more other signatures, especially not every single signature as documented.
  The reason why is because the package might include retired/old signatures only for references, and not every single signature is required to protect your environment because you might not have the traffic for some signatures, you might not have some end hosts that are written with specific signatures, therefore, it becomes irrelevant if you enable it.
  Typically here is how customer would enable/disable signatures:
  - Use the default signature that is enabled by Cisco (the default should fit majority of the customers).
  - Monitor it for a couple of months
  - Disable those that you don't need, and enable others if you think you require it for specific.

• BGP Advertised Routes two Peering

  Dear all
  I have issue with BGP behaviour. I have two BGP peering; from both I receive default route, but one of them,
  AS 65472 is primary so I setup local preference in 200; it is because I want to use AS 65472 as internet
  provider. The another one, AS 65472 is used as secundary internet access, but for internal network (private) is
  used as primary. The issue is when try ping from LAN, can not reach internal network, seems to be that
  becuase Local preference is setup within AS65472 and the packet try to go thru AS 65472 because local prefeence 200,
  but I need that internal network go thru AS 65471.
  I am sure that I am advertising network as I expect, but when is running BGP for both peering, it fails.
  Here are go output for this situation:
  7204VXR-SCT#sh ip bgp neighbors 172.16.40.37 received-routes
     Network          Next Hop            Metric LocPrf Weight Path
  * i0.0.0.0          172.16.40.37             0    100      0 i
  Total number of prefixes 1
  7204VXR-SCT#sh ip bgp neighbors 172.16.40.37 advertised-routes
     Network          Next Hop            Metric LocPrf Weight Path
  *> 10.10.200.0/30   0.0.0.0                  0         32768 i
  *> 10.30.24.0/21    172.16.40.4              0         32768 i
  *> 172.16.17.0/24   172.16.40.5              0         32768 i
  *> 172.16.211.0/24  0.0.0.0                  0         32768 i
  *> 172.18.56.16/29  0.0.0.0                  0         32768 i
  *> 172.30.100.18/32 0.0.0.0                  0         32768 i
  *> 172.31.0.20/30   0.0.0.0                  0         32768 i
  7204VXR-SCT#sh ip bgp neighbors 190.97.254.241 received-routes
     Network          Next Hop            Metric LocPrf Weight Path
  *  0.0.0.0          190.97.254.241                         0 65472 i
  Total number of prefixes 1
     Network          Next Hop            Metric LocPrf Weight Path
  *> 190.153.116.0/22 172.16.40.4              0         32768 i
  *> 190.153.120.0/22 172.16.40.4              0         32768 i
  *> 190.153.124.0/24 172.16.40.37            10         32768 i
  router bgp 65471
   bgp log-neighbor-changes
   neighbor externalBGP peer-group
   neighbor externalBGP remote-as 65472
   neighbor externalBGP version 4
   neighbor internalBGP-SCT peer-group
   neighbor internalBGP-SCT remote-as 65471
   neighbor internalBGP-SCT version 4
   neighbor 172.16.40.37 peer-group internalBGP-SCT
   neighbor 190.97.254.241 peer-group viginet
   address-family ipv4
   neighbor externalBGPsoft-reconfiguration inbound
   neighbor externalBGProute-map viginet-in in
   neighbor externalBGProute-map viginet-out out
   neighbor internalBGP-SCT soft-reconfiguration inbound
   neighbor internalBGP-SCT route-map internalBGP-SCT-out out
   neighbor 172.16.40.37 activate
   neighbor 190.97.254.241 activate
   no auto-summary
   no synchronization
   network 10.10.200.0 mask 255.255.255.252
   network 10.30.24.0 mask 255.255.248.0
   network 172.16.17.0 mask 255.255.255.0
   network 172.16.40.0 mask 255.255.255.0
   network 172.16.211.0 mask 255.255.255.0
   network 172.18.56.16 mask 255.255.255.248
   network 172.30.100.18 mask 255.255.255.255
   network 172.31.0.20 mask 255.255.255.252
   network 190.153.116.0 mask 255.255.252.0
   network 190.153.120.0 mask 255.255.252.0
   network 190.153.124.0 mask 255.255.255.0
   exit-address-family
  ip route 172.16.40.36 255.255.255.252 Null0 250
  ip route 190.153.116.0 255.255.252.0 172.16.40.4
  ip route 190.153.120.0 255.255.252.0 172.16.40.4
  ip prefix-list invalidas seq 10 permit 172.16.40.0/24
  ip prefix-list invalidas seq 15 permit 10.30.24.0/21
  ip prefix-list invalidas seq 20 permit 172.16.211.0/24
  ip prefix-list invalidas seq 25 permit 172.18.56.16/29
  ip prefix-list invalidas seq 30 permit 172.30.100.18/32
  ip prefix-list invalidas seq 35 permit 10.10.200.0/30
  ip prefix-list invalidas seq 40 permit 172.16.17.0/24
  ip prefix-list invalidas seq 45 permit 172.31.0.20/30
  ip access-list standard viginet-100
   permit 190.153.116.0 0.0.3.255
   permit 190.153.120.0 0.0.3.255
   permit 190.153.124.0 0.0.0.255
  route-map externalBGP-out permit 10
   match ip address viginet-100
  route-map externalBGP-in permit 10
   set local-preference 200
  route-map internalBGP-SCT-out permit 10
   match ip address prefix-list invalidas

  Hello.
  If you want your internal network to go through peer 65471 (to 0.0.0.0/0), then why do you need AS 65472?
  Could you please provide "show ip bgp 0.0.0.0/0"?

• BGP peering via default route

  I read http://blog.ipexpert.com/2010/11/08/bgp-peering-and-default-routes/ and understood that BGP speaker will not initiate BGP connection with the other BGP router if it can reach it via default route only...And BGP peering will not come up at all if both the BGP speakers know each other via default routes only....I could not understand the reason behind this though...Could any expert help me in understanding the underlying reasoning?

  I can't think of a reason why you would want to peer with a router you don't have a route for. If you're relying on a default route for a multi-hop bgp peer session, it could cause the session to be unreliable due to changes in the network down the line from you. An unreliable bgp session would be bad on the router's cpu/memory if the session were to flap.

• Cisco IOS IPS in Cisco 2921/k9 router

  Hi All,
  I have a router of Cisco 2921 series (C2921/K9) basic box with IP BAse IOS image (SL-29-IPB-K9 IOS). I would like to enable IOS Level IPS feature on this Router now. Based on the Cisco Document i have found i need to purchase an additonal subscripton license to enale the IPS feature. My querry is-
  Will it support on the Basic IP Base IOS or do i need to change the IOS?
  If i need to purchase the Subscription Licesne, how can i get the part number and cost for the same?
  Do i need to buy any addtional module for this like (NME-IPS-K9) ?
  Thanks in advance for your quick support
  regards
  Sunny

  Hi Sunny
  1. Yes you can enable IPS on IOS with the security license, without buying a subscription, but this would make little sense - new signatures are being released all the time so you would not be protected from recently discovered vulnerabilities/attacks.
  2. Correct, the modules and appliances run a different kind of software and are much more powerful
  3. If you add the module, you do NOT need the security license. It would still be advised to get a subscription license to get signature updates for the module.
  I hope this helps, let us know.
  regards
  Herbert
  jacob.samuel wrote:Dear Herbert,Thanks alot for the wonderful post. It clear most of my doubts. Still i kindly need to know few more points-1)  Cant we enable IPS Feature on 2921/K9 router (with Sec license or 2921Sec/K9 bundle) without signature subscription license (is it a must? it is for getting updates of signatures and for support only, right?)2)  I came to know from a distributor pre-sales engineer that the Cisco IOS Level Intrusion Protection is not going to provide the full feature of IPS like NME module or IPS Applinace. Is that right?3)  If i add NME-IPS-K9 Module to my 2921 Router, without enabling Sec License, can i enable IPS feature on the Router. Or is it a must that i need to buy Sec License (SL-29-SEC-K9)?Attaching the Datasheet of NME-IPS-K9 module (Page num 5 above Table 3) mentione as follows-Cisco IOS Software Feature Sets and ReleaseTable 3 lists the required Cisco IOS feature sets and releases for Cisco IPS AIM and IPS NME on the Cisco 1841,
  2800 and 3800 series Integrated Services Routers Note that, IPS NME on the Cisco 2900 and 3900 Integrated
  Services Routers does not require a Security Feature license.
  In that case if i buy a module i can install it on the 2921K9 box directly and can enable the IPS feature right? I dont need any License and additonal signature subscription here to enable the IPS feature (if i dont need signature updates and support) right?
  thanks alot for the support.
  regards
  Sunny

• IOS IPS 3845 router

  The IOS IPS keeps failing. For some reason it sends the alerts to MARS and then all of a sudden the IPS is disabled on the interface. This config. was down through SDM.

  CS-MARS also integrates tightly with Cisco's premier security management suite, Cisco Security Manager (CSM). This tight integration maps traffic-related syslog messages to the firewall policies defined in CSM that triggered the event. Policy lookup enables rapid, round-trip analysis for troubleshooting firewall configuration-related network problems, policy configuration errors, and fine-tuning defined policies.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/prod_tech_notes_list.html

• CSM3.1 device addition of IOS IPS router

  Upon adding a IOS IPS device running (C2800NM-ADVIPSERVICESK9-M,Version 12.4(15)T1,)& 5.x-303 release signatures, CSM 3.1 does not display it as an IPS enabled device. The device in question (2821) has a stand-alone config and 5.x advanced signatures functioning properly.
  In the device properties of CSM 3.1 of said 2821, IPS is a feature but is grayed out. I have successfully added 2 ADSM modules from our 6513's and it displays them as IPS devices and I can add/deploy signatures to these devices. However, CSM 3.1 does not recognize the 2821 as an IOS IPS device and I can not add/deploy to this device. What am I missing here?

  In this case you will need to create a new device in CSM (using the Add Device option) and discover the device for the IOS IPS policies to show up. Just doing a rediscovery of an existing IOS device will not show the IOS IPS policies. This is because CSM treats the IOS IPS device as a different target type than a IOS device.

• Is there a way to automate IOS IPS signature updates without CSM?

  I have a growing number of 891 routers running IOS IDS/IPS. My Cisco vendor has stated repeatedly that CSM is the only way to manage signature updates to multiple routers, but I'm finding CSM to be incredibly tedious and slow. It also wants to manage a lot more than just the IPS policies and signatures which causes other problems.
  I have about 160 routers deployed now and that will grow to at least 600. I have CSM 3.3.1. I'm told 4.x would make it easier becasue it can be configured to ignore more of the non-IPS bits of the router configs, but the upgrade is a big chunk of money that wouldn't be in the budget until at least 2012.
  Is anybody doing this with an expect script or EEM applets or something else? It seems to me that I could manually upload an update to one router and push the resulting XML files to all the other routers a lot easier and faster than I could "discover" a bunch of routers in CSM (and rediscover them every time we make a CLI change), add the routers to a group, apply updates to a sig policy, lather, rinse, repeat..., not to mention troubleshooting the weird errors and completely wron "warnings" that CSM spews.
                 Thanks in advance!

  From IOS version 15.1(1)T, you can configure the IOS IPS to auto update from cisco.com which would help I believe.
  Here is the configuration guide for your reference:
  http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1138659

• How to enable IPS IPS/IDS in cisco 2811

  Hi all,
  I have a Cisco 2811 with IOS Version 12.4(20)T and I need to enable IPS or IDS in this. What is the config for this?
  First of all, I need to know whether I can do IPS/IDS in my router as well..
  - Ribin

  Hi,
  I did enabled IPS in the router and configured to notify to our log server. Below is the log I received in my log server.
  What does IPS does now and what kind of logs I can expect?
  Thanks,
  Ribin
  Apr 19 14:53:38 192.168.11.10 4546: *Apr 19 09:27:41.254: %SYS-5-CONFIG_I: Configured from console by ribin on vty0 (192.168.11.35)
  Apr 19 18:04:29 192.168.11.10 4548: *Apr 19 12:38:32.601: %CRYPTO-6-IPSEC_USING_DEFAULT: IPSec is using default transforms
  Apr 19 18:12:10 192.168.11.10 4549: *Apr 19 12:46:14.541: %IPS-6-ENGINE_BUILDS_STARTED: 12:46:14 UTC Apr 19 2009
  Apr 19 18:12:10 192.168.11.10 4550: *Apr 19 12:46:14.541: %IPS-6-ENGINE_BUILDING: atomic-ip - 3 signatures - 1 of 13 engines
  Apr 19 18:12:10 192.168.11.10 4551: *Apr 19 12:46:14.557: %IPS-6-ENGINE_READY: atomic-ip - build time 16 ms - packets for this engine will be scanned
  Apr 19 18:12:10 192.168.11.10 4552: *Apr 19 12:46:14.557: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 16 ms

• IOS IPS and VMS and shunning

  Installed 12.3.14T2 (advanced security) on 2811 router with new
  VMS update to the IDS Management Center (2.1) to support IOS IPS SDEE event monitoring. When I configure a specific signature, there is no option to shun. Only alert, block or reset. Where do you configure the dynamic shuning or "local shun action" that seems to be in all the "new features" of the IOS IPS.
  Configuring the signature to block, alert or reset works fine. Just no options to shun. Also the IPS device does not show up in the device list under Monitoring on VMS, even though it shows up as a device in Monitoring Center Device Page.
  Maybe this is where the problem may lie.

  IOS versions before 12.3(14)T support the following
  actions for IOS IPS:
  - alarm
  - drop (drop just the offending packet)
  - reset (reset tcp connection - works for tcp only)
  Version 12.3(14)T and later (including 12.4 versions) added support for the "local shunning" through two different actions:
  - denyFlowInline
  - denyAttackerInline
  DenyFlowInline creates an ACL that drops all traffic on that connection for a certain idle-timeout.
  DenyAttackerInline creates an ACL that drops all traffic from that source address (including other connections from that source address) for a certain idle-timeout.

• IOS IPS Restore Deleted Signatures

  I have a router with IOS IPS and manage this using SDM.
  I have deleted a signature from the router and would now like to re-install it.
  Using SDM import feature I have looked for the deleted signature in the 256mb.sdf that I've downloaded from the Cisco website. It doesn't appear in the list of signatures. I've tried the attck-drop.sdf and the local ios sdmips.sdf but the signature is not listed.
  does anyone have any idea how I can get it back?
  The deleted signature is 4050 UDP Bomb.
  Thanks

  4050 UDP bomb is a built-in signature within the IOS. Some 100 odd signatures (version dependent) are loaded into the router by default when your IOS has the IDS image. Look under the ATOMIC.UDP signatures for 4050.
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfids.htm#wp1000985
  You may be able to re-enable your signature using the following command on the CLI.
  "no ip audit signature 4050 disable"
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/secur_r/sec_d1g.htm#wp1073162

• IOS IPS

  If the IOS IPS pkg file is 7MB and after I do a copy tftp://xxx/xxx.pkg idconf, where does the file go? I don't see anything on the flash other than the .xml config files.
  Any thoughts?

  First, please take a look at http://www.cisco.com/en/US/products/ps6634/products_white_paper0900aecd805c4ea8.shtml.
  In summary, the copy command follow the following process:
  1. load signature from outside server
  2. parse it and read into memory
  3. save out to the directory configuration as the ips location, in normal cases, it would be the router flash.
  When save the files out, it will save into multiple files in a compressed format, even it has a .xml extension, it is compressed.
  Here are the files got saved out:
  . -sigdef-typedef.xml
  type definition files, defines the engine parameters etc.
  . -sigdef-category.xml
  signature category file. Just a mapping file map the category to signature IDs
  . -sigdef-default.xml
  Signature file. Contains all signatures and their parameter definitions
  When management by CSM/SDM, it also will save out couple of other files:
  . -sigdef-delta.xml
  Contains all signature modification information other than the default in sigdef-default.xml
  . -seap-delta.xml
  Contains all the SEAP configuration changes
  . -seap-typedef.xml
  SEAP type definition file.
  Thanks,
  -Chris

• 2811 IOS IPS VMS Configuration

  I have several already deployed 2811 that I'd like to turn on the IPS feature. IOS firewall is already running. We also have just deployed VMS. Is there any order that need to be followed to get these into VMS. Should I import them into Router MC or IDS MC first? IDS MC documentation isnt clear to me setting up IOS IPS.
  thanks in advance

  No particular order (that I am aware of).
  As far as Security Monitor to monitor IDS Alerts, I choose the hard way and just manually added each of our devices, tedious but all is working.
  As far as Performance Monitor, I imported from RME
  The bulk of our routers run 12.3(11)T and 12.3(11)T2.
  We have a ton of 831's and I choose for them to send alerts via PostOffice rather than waiting for collections via SDEE because the memory in the 831's (48MB) are already just about maxed out (Regularly over 80%) just running the daily needed applications (VPN and CBAC). We have some 1700s and 2600s out in the field too that are not as taxed.
  if you choose the PostOffice route (or test it out) then here are the commands and steps you need:
  First add the device in Security Monitor to use PostOffice
  then from the router console, ssh, etc........
  ip ips notify nr-director
  ip ips po max-events 100
  ip ips po remote hostid [VMS Host ID#] orgid [ORG #] rmtaddress [VMS IP Address] localaddress [Router IP Address] port 45000
  ip ips po local hostid [Router Host ID#] orgid [Org ID#]
  exit
  write mem
  reload
  Once you reload it will send an initial packet to VMS and the router will register as 'Connected' in Sec Monitor.
  You should make sure that the 'ip ips po' commands are accepted in your IOS version
  I don't know what your memory consumption is like in your 2800 Router but the config for SDEE Event Collection is much less involved. If your router has resources to spare this is the way to go.

• Which interface to apply IOS IPS

  Hello,
  I have IOS IPS installed on 4 routers on our network at different sites.  They are 2911 routers, with 2GB ram and i am using the latest signatures from cisco.  Everything is working fine.  I have enabled the basic signatures.  At the moment the ips policy is only applied to the wan interface and not the lan. So in summary:
  interface serial0/0     (wan link)
  ip address x.x.x etc
  ip ips mypolicy in
  ip ips mypolicy out
  exit
  According to cisco i should not bother applying ip ips mypolicy out on the wan interface (serial0/0) but should have ip ips mypolicy in on the fa0/0
  lan interface aswell as the serial0/0 interface.
  interface fa0/0          (lan traffic)
  NO IPS POLICY IN HERE AT THE MOMENT
  anyone got experience on this?
  regards
  Kevin

  Hi Kevin,
  I would say that you have done the right thing, since router are limited in memory we should not enable a lot of signatures and also try to limit the scanning to traffic that we actually need to be scanned.
  In what you have done any traffic that in entering or leaving the WAN interface will be scanned.
  Now if there are more interfaces on your router and you want the traffic between the interfaces to be scanned as well in that case only you should enable IPS on those interfaces.
  Most of the times it is not needed.
  Regards,
  Sachin