IPS interface pairs

Similar Messages

• IPS Interface Pairs vs. Inline VLAN Pairs

         I've got a Cisco IPS 4240 that needs to be configured inline.  Right now I've got an ASA 5525-X with two interfaces (inside and DMZ) plugged into our Catalyst 6500 Switch that need to be monitored by the IPS.  I also plugged two interfaces from the IPS into the same Catalyst switch hoping that I could use the inline VLAN pairs to monitor that traffic.  I've got several VLANs in our DMZ and LAN that need to be monitored. The problem is that I don't understand how the inline VLAN pairs are supposed to work (Cisco's IPS documentation is almost useless), I've been fighting with it for some time with no success. 
       I'm now thinking that it might be a better idea to plug the two interfaces from the ASA directly into the IPS and then create Interface Pairs from the IPS to the switch.  My concern with doing this is that I am turning the IPS into a single point of failure, if it goes down everything goes down with it.   Also, will the Interface Pairs work with a 802.1q trunk?  Would I then need to create VLAN groups for the trunk? Would using inline VLAN pairs also create a single point of failure? 
       Basically, I'd like to know the pros and cons to the Interface Pairs vs. the Inline VLAN pairs.  Interface Pairs seems like the easiest and most comprehensive way to go, but if I can avoid the single point of failure with the inline VLAN paris I would like to go that route. 

  Hello Paul,
  I want to go with Inline vlan pair,i don't want to go with interface pairing,as this is request by customer,how i can do it,as i m having a IPS-4240 with 4 gig ports,
  I have a doubt that if we create a vlan pair then in each pair 1 be a real vlan and the other should be dummy vlan ????  ( for example vlan 2 and vlan 3 in which vlan 3 is the dummy vlan). Please suggest
  If i have a 10 vlan than i will configure the 10 pair of vlan on gig0/0 with real and dummy vlan, but what vlan pair i shld configure on gig0/1 i.e (exit interface to ASA DMZ interface.)
  Thanks
  Message was edited by: adamgibs7

• Interface pairs subneting

  i have one IPS 4255 sensor and one catalyst switch. i deploy ips interface pairs and connecting two vlan 33 22. i want to learn that.
  the vlans (33 and 22) must be same subnet????? or different subnet at interface pairs mode???
  because i do same subnet at interface pairs , it works and i do different subnet at interface pairs it is not work.
  please write your comment.

  The in-line interface pairs of the Cisco IPS sensor are transparent to traffic. You can think of the sensor as a "bump in the wire". Since there is no layer 3 routing intelligence in the sensor, there is nothing that would pass traffic between two different subnets on a pair of in-line interfaces. Both interfaces need to be addressed within the same subnet.
  - Bob

• Interface pair configuration documentation?

  I want to change up the current config of my 4215 to use two ports for a IPS inline pair pass thru setup. If you have come across the documentation on this I would appreciate if could you link the relevant documentation to your reply. I currently have 5 interfaces and will use 2 of the Fa interfaces to handle the traffic leaving 2 Fa interfaces and 1 Gb interface for monitoring.
  I want to pass my remote VPN users traffic through this inline pair.
  Thanks in advance and I will continue to search for the documents.

  Version 6:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00807517bb.html#wp1046883
  Version 5:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00804cf4c2.html#wp1033269

• Switch config for Inline Interface Pair

  Hello all
  Am having a doubt here, so need your help.
  I want to configure an IPS in inline interface mode. What I have is
  internet rtr---->Switch----->outside intrface of ASA
  Here, I want to monitor/inspect the traffic coming from the internet.
  I am planning to connect the inline interfaces to the same switch.
  What am not sure is what will be the switchport configuration for the inline interface pair?
  Also, How the switch will forward traffic to the IPS and then IPS to the ASA?
  Thanks in advance
  ..Abhi

  What are you using for an IPS, an appliance? an IOS IPS in the Internet router or the ASA?
  If you want to feed the output of your IPS into the same switch as the input, you'll need to create two separate VLANS, one for the switch interfaces that are outside your IPS and the other for the interfaces that are inside your IPS.
  interface Gi0/1
    switchport access vlan 10
  switchport mode access
  switchport nonegotiate
  interface Gi0/5
    switchport access vlan 20
  switchport mode access
  switchport nonegotiate
  interface vlan 10
  interface vlan 20
  - Bob

• IPS Interface duplex - Half/Full??

  i have a IPS 4260, running Version 6.0(5)E2.
  I have noticed different duplex on the interface.
  My understanding based on the logs below:
  The interface below seems to be running in half duplex, but they are configured for full duplex.
  -GigabitEthernet2/0
  -GigabitEthernet2/3
  -GigabitEthernet3/3
  Is there any misconfiguration or a problem on my IPS?
  extract from "show tech-support" command:
  MAC statistics from interface GigabitEthernet2/0
  Link Status = Up
  Link Speed = 100
  Link Duplex = Half
  MAC statistics from interface GigabitEthernet2/1
  Link Status = Up
  Link Speed = 100
  Link Duplex = Full
  MAC statistics from interface GigabitEthernet2/2
  Link Status = Up
  Link Speed = 100
  Link Duplex = Full
  MAC statistics from interface GigabitEthernet2/3
  Link Status = Up
  Link Speed = 100
  Link Duplex = Half
  MAC statistics from interface GigabitEthernet3/0
  Link Status = Down
  Link Speed = N/A
  Link Duplex = N/A
  MAC statistics from interface GigabitEthernet3/1
  Link Status = Down
  Link Speed = N/A
  Link Duplex = N/A
  MAC statistics from interface GigabitEthernet3/2
  Link Status = Up
  Link Speed = 100
  Link Duplex = Full
  MAC statistics from interface GigabitEthernet3/3
  Link Status = Up
  Link Speed = 100
  Link Duplex = Half
  Oct 29 18:40:04 sensor user.info kernel: e1000: ge2_0 NIC Link is Down
  Oct 29 18:40:07 sensor user.info kernel: e1000: ge2_0 NIC Link is Up 100 Mbps Half Duplex
  Oct 29 18:40:08 sensor user.info kernel: e1000: ge2_0 NIC Link is Down
  Oct 29 18:40:08 sensor user.info kernel: e1000: ge2_1 NIC Link is Down
  Oct 29 18:40:15 sensor user.info kernel: e1000: ge2_1 NIC Link is Up 100 Mbps Full Duplex
  Oct 29 18:40:37 sensor user.info kernel: e1000: ge2_0 NIC Link is Up 100 Mbps Half Duplex
  Oct 29 18:40:37 sensor user.info kernel: e1000: ge2_0 NIC Link is Down
  Oct 29 18:40:37 sensor user.info kernel: e1000: ge2_1 NIC Link is Down
  Oct 29 18:40:37 sensor user.info kernel: e1000: ge2_1 NIC Link is Up 100 Mbps Full Duplex
  Oct 29 18:40:40 sensor user.info kernel: e1000: ge2_0 NIC Link is Up 100 Mbps Half Duplex
  Oct 29 18:40:43 sensor user.info kernel: e1000: ge2_0 NIC Link is Down
  Oct 29 18:40:43 sensor user.info kernel: e1000: ge2_1 NIC Link is Down
  Oct 29 18:40:43 sensor user.info kernel: e1000: ge2_1 NIC Link is Up 100 Mbps Full Duplex
  Oct 29 18:40:43 sensor user.debug kernel: Set Affinity to 1
  Oct 29 18:42:48 sensor user.info kernel: e1000: ge2_0 NIC Link is Up 100 Mbps Half Duplex
  Oct 29 18:42:48 sensor user.info kernel: e1000: ge2_0 NIC Link is Down
  Oct 29 18:42:48 sensor user.info kernel: e1000: ge2_1 NIC Link is Down
  Oct 29 18:42:48 sensor user.info kernel: e1000: ge2_1 NIC Link is Up 100 Mbps Full Duplex
  Oct 29 18:42:49 sensor user.info kernel: e1000: ge2_0 NIC Link is Up 100 Mbps Full Duplex
  Oct 29 18:42:49 sensor user.debug kernel: Set Affinity to 1
  Oct 29 18:42:49 sensor user.info kernel: e1000: ge2_0 NIC Link is Down
  Oct 29 18:43:10 sensor user.info kernel: e1000: ge2_2 NIC Link is Up 100 Mbps Half Duplex
  Oct 29 18:43:10 sensor user.info kernel: e1000: ge2_3 NIC Link is Down
  Oct 29 18:43:10 sensor user.info kernel: e1000: ge2_2 NIC Link is Down
  Oct 29 18:43:10 sensor user.info kernel: e1000: ge2_3 NIC Link is Up 100 Mbps Half Duplex
  Physical Config
  ID Name Pair Logic Reset Admin Speed Duplex Mode
  0 ge0_1 0 0 n/a down Auto Auto Prom
  1 ge3_1 2 19 n/a up Auto Auto Pair (HW Bypass)
  2 ge3_0 1 19 n/a up Auto Auto Pair (HW Bypass)
  3 ge3_3 4 17 n/a up 100 Full Pair
  4 ge3_2 3 17 n/a up 100 Full Pair
  5 ge2_1 6 18 n/a up 100 Full Pair
  6 ge2_0 5 18 n/a up 100 Full Pair
  7 ge2_3 8 16 n/a up 100 Full Pair
  8 ge2_2 7 16 n/a up 100 Full Pair

  Check the interface configuration for Link Duplex configuration as the command "show tech-support" will show the interface parameters as per the configuration done. So the output of this command completely depends on the configuration that has been done and is existing. So when the interface is configured as "full" for link duplex it will show as full and not the other way.

• IPS VLAN pair in VSS

  Hi
     I have serverfarm connected to cisco 6509 core switches in VSS mode.We have two IPS es and to connect in line(VLAN pair) for the server farm.I want to know how we will connect these two IPS es because since switches are in VSS mode,this will act as one switch.Please give me a solution to connect both IPS es in to configure in VLAN inline pair in VSS core switch.
  Regards
  Anvar

  Hi,
  how did you solve this? Have you tried load-balancing using multichassis etherchannel?
  Radim

• IPS interface statistic reset

  hi,
  How can I reset theinterface statistic on y IPS devices?
  Thanks

  Most of the interface statistics in "show interface" are MAC level (hardware) statistics and cannot be reset except by rebooting the sensor.
  The higher level statistics, such as "show statistics virtual-sensor" can be reset by appending the keyword "clear" to the request. In that case, the current statistics are displayed and then reset internally. The next invocation will show statistics since the "clear". One of the statistics is "Seconds since last reset" and you can use it to verify that your reset is taking place.

• IPS Interface using SNMP

  Hi there,
  I am encountering a problem with a number of Cisco IPS 4200 series devices. When we perform a walk using the MIB-II (rfc1213) OID's, the information that is returned is incorrect (interface status, speed, ...)...
  After some searching, i found the following on the cisco site for these devices:
  The following private MIBs are supported on the sensor:
  • CISCO-CIDS-MIB
  • CISCO-PROCESS-MIB
  • CISCO-ENHANCED-MEMPOOL-MIB
  • CISCO-ENTITY-ALARM-MIB
  Note MIB II is available on the sensor, but we do not support it. We know that some elements are not correct (for example, the packet counts from the IF MIB on the sensing interfaces). While you can use elements from MIB II, we do not guarantee that they all provide correct information. We fully support the other listed MIBs and their output is correct.
  Is there any way that we can correctly read the interface status, speed, etc. I cannot find similar OID's in the supported MIB's.
  IPS4240 ver 7.0(4)E4
  Thanks

  Hi,
  Unfortunately, there is currently no way to get the correct interface statistics through SNMP.
  An enhancement request has been opened to have parts of MIB-II supported:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk41177
  If this feature is important for you, you can contact your account team so that they can work with the IPS folks to have this feature prioritized for the next software release.
  Regards,
  Nicolas

• IPS Redundancy Pair and Etherchannel

  Guys,
  Do yo have any experience with IPS redundandy ?
  i have idea about it ?
  |-----------|
  |-----------| ---link-1--- IPS-1
  |-switch-|
  |-----------| ---link-2--- IPS-2
  |-----------|
  Two IPS (IPS-1 and IPS-2) is deployed in "out of bound" to one switch (I know it can be deployed use two switch and use inline topology but i don't have other switch :D). Link-1 and link-2 is etherchannel trunk. Etherchannel trunk carry vlan inside and vlan outside. In IPS-1 and IPS-2 there are mapping vlan for that vlan (inside <--> outside).
  What do you think guys ?

  Hi,
  how did you solve this? Have you tried load-balancing using multichassis etherchannel?
  Radim

• Pairing odd physical type interfaces for ips

  In the 4250-sx, there is a copper gigabit interface (ge_0/0) and a fiber gigabit interface (ge_1/0). Can these interfaces be paired together to do blocking or do they have to be the same physical type.
  What are the disadvantages, if any, of pairing odd physical type interfaces?

  Pairing of copper and fiber interfaces is not supported.
  We have not tested this configuration and do not know what issues might develop from that combination.
  Here is the list of supported inline interface pairs:
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/cliguide/cliinter.htm#wp1057307
  Alternatives:
  1) Purchase a second SX interface from Cisco so you can pair the 2 SX interfaces.
  2) Use InLine Vlan Pairs which pairs 2 vlans on a single interface instead of using 2 interfaces. You can then create inline vlan pairs on the SX card, and can even created inline vlan pairs on the TX interface ofthe motherboard at the same time.
  Marco

• Issue - Inline VLAN pair IPS

  Hello everyone,
  I have an issue with an 4255 IPS using an inline VLAN pair. Here's the rough sketch of the topology:
  SW1
  port 1 access vlan 10 - PC (10.20.30.2/24)
  port 48 trunk to SW2 - all vlans allowed and forwarding
  SW2
  port 48 trunk to SW1 - all vlans allowed and forwarding
  port 1 trunk allowed vlan 10,20 to IPS g0/1 configured in inline VLAN pair; assigned to sensor etc.
  SVI vlan 20 for network 10.20.30.1/24 (up/up)
  I'm unable to ping SVI from PC. Anyone have any suggestions? Running packet display on IPS interface I only see BPDUs hitting the interface. VTP is enabled but pruning is disabled. Both vlans exist on both switches.
  I'm only seeing ARP requests from SVI on the IPS, but no replies coming from the remote switch.
  Alternatively the PC is sending ARP requests to the SVI IP, but those aren't getting resolved, nor are they getting to the IPS interface.

  Hello Yuriy
  So Topology is something like
  PC-----ACCESSPORT----SW1----TRUNK----SWITCH2
                                                                   |
                                                                   |
                                                                 IPS Inile vlan pair
  The thing is that if you already allow the vlans on the trunk link then traffic will not get inspect by the IPS,
  Do you see what I mean, you must force it to go to the IPS.
  Let me know if I was clear enough

• Sensing interfaces on IPS!

  Hi
  Guys
  I have IPS 4215 with 6.0 image, 4 sensing Interfaces anlong with the C&C,i m confused a litlte bit about the sensing interfaces across the network what am thinking is as follow:
  IPS will be functions as inline mode
  1) Two sensing interfaces bridged togather on the inside
  2) Two sensing interfaces  bridged togather on the outside, coz i have  web server on the DMZ Need to be accessed from outside
  but the inline rule said:traffic from interface to onother interface need to be checked , so how is that with traffic leaving my network to the internet so it nee to be checked either wich useless in this case coz i just need inspection to traffic comes from outside toward my web server and inspection the inside interfaces?
  any help here in order to determine the ideal deployment for the sensors
  Thanks a lot

  Can't really find a sample config on IPS, however, here is sample config on the concept on transparent firewall which is exactly what IPS is:
  Interface pair (on ASA firewall): http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml
  VLAN pair (FWSM): http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/exampl_f.html#wp1029042
  For VLAN pair example, just check the diagram, and basically 1 subnet, and vlan pairing basically to force the traffic to go through the firewall/IPS. Since all hosts are on all 1 layer 3 subnet, it will ARP for the ip address, and if the default gateway is on the other side of the IPS/firewall, the traffic is forced to traverse through the appliance to get to its default gateway. Hence forcing the traffic to be inspected by the IPS. Otherwise, there is no other way to force traffic to pass through the IPS as IPS is layer 2 device (sensing interface is L2), not a routed device.

• IPS Inline Interface Mode - Can you use a port-channel?

  Hi,
  I'm trying to determine if you can have a 2-gig Layer-3 Port-channel going thru an IPS 4260 appliance. See attached diagram. Is this possible?
  The client I'm working with would prefer not to break this Port-channel into equal-cost 1-gig links (I don't think there will be any performance difference...) However I'm thinking if they want the appliance inline like the diagram shows - they will need to break the port-channel. Is that a correct assumption?
  Thanks,
  Brad

  Yes this is possible.
  It will require 2 InLine Interface Pairs on the sensor and both pairs should be added into the same Virtual Sensor.
  The 4260 will not be aware that etherchannels are used on both sides, and does not need to be aware.
  This may,however, require manual enablement of the etherchannels.
  Also keep in mind that the performance in this setup will be limited to what the IPS-4260 is able to perform with that traffic.
  If the IPS is only able to monitor 1 Gbps (which is its rating for Transactional traffic tests), then having the 2 InLine Interface Pairs will not give them any more performance than a single pair would.
  If the IPS is able to monitor more than 1Gbps of their traffic (it is rated at 2Gbps for Media Rich tests), then the additional pair will allow the sensor to get to the above 1 Gbps monitoring.
  If the 4260 is not able to keep with the traffic, then an upgrade to a 4270 using the same deployment setup may be necessary.
  NOTE: This also assumes that only the left or right path are actively passing traffic at any one time. If both paths are passing traffic, then asymmetric traffic patterns can result. if asymmetric traffic is seen, then another deployment should be considered, or specifial configuration be placed on the sensors.
  NOTE: This setup only works when a single sensor is used within the etherchannel. (1 sensor on each etherchannel, 2 sensors in your diagram because you have 2 etherchannels).
  You can not place 2 sensors in the same etherchannel (would mean 4 sensors in your diagram).
  This is because the balancing being done from the lower switch can not be guaranteed to match that being done from the top switch. A mismatch in balancing could lead to asymmetric patterns.
  With a single sensor, the same virtual sensor sees all traffic regardless of which interface the packet comes in on, so a single sensor is fine. But with 2 sensors, the client traffic might get sent to a different sensor than the server traffic.

• IPS 4240 ATTACK DETAILS

  Dear All,
  The following is the attack detaisl i received from the customer. Before contact cisco i posted here for your answers.
  Date= 2007/02/16
  Time= 22:44:13 Arab Standard Time
  SIGID= 5081:0
  5326:0
  SIGNAME= WWW WinNT cmd.exe Access
  Root.exe access
  Victime= 192.168.100.1
  AttackerAddress= 214.139.200.1
  Please how can i solve this issue .
  swamy

  Edward,
  Thanks for your info. I will contact the customer and dscuss those things.
  Also i want to know the following on IPS in-line
  setup.
  1.IPS Connected behind the firewall pix 525 in in-line mode. Interface pair was created and 2 interfaces are made members of the pair. I assigned the pair to the engine.Here i did not do anything tuning on signatue configuration. All the sig are enabled as default. As soon as the ips placed in the network in in-line it stop thenetwork to go out when i put in bypass mode then working. PLease could you give the basic config to make the IPS working in in-line mode. Inside the network is the one with 3 networks (192.168.100.0, 101.0, 102.0)
  ips inside interface sits in 192.168.100.0 network then other 2 networs are in 2 vlans of the core switch 4507R.IPS outside interface in line with pix firewall failover pair. Firewal pair outside connect to the internet router 3825 to the internet using ADSL.
  I want to know how to choose the sigs those are only required for the internal networks also.
  Waiting for your reply
  Thanks in advance
  swamy