MDS 9222i IPS configuration

Similar Messages

• Configuring MDS 9222i and portchannels

  Trying to wrap my head around how a MDS 9222i is configured.  We have 2 of them and will be implementing FCIP.  I found a great document on FCIP and all of that and feel comfortable there.  However, connecting the MDS 9222i slightly confuses me.  I am assuming I can use all 4 of the 1Gbps copper ports.  Is this a correct assumption?  Can I use a portchannel/etherchannel configuration for this on the MDS?
  Any help would surely be appreciated.  Thank you.

  Ok, you guys were on the right track but anyone else who comes across this issue there are some things that were not clearly noted (or maybe I read over them) posted here:
  http://www.cisco.com/en/US/docs/switches/datacenter/mds9000/sw/4_1/configuration/guides/cli_4_1/clibook.html
  Basically, MGMT port is required to get access to the device.  From there, I set up the gig ports which require separate IPs for each one that I want to uplink and for each FCIP configuration.
  interface GigabitEthernet1/1
    ip address 10.123.10.201 255.255.255.0
    switchport description Core Link connection
    no shutdown
  interface GigabitEthernet1/2
    ip address 10.123.10.202 255.255.255.0
    switchport description Core Link connection
    no shutdown
  interface GigabitEthernet1/3
    no shutdown
  interface GigabitEthernet1/4
    no shutdown
  interface mgmt0
    ip address 10.111.2.200 255.255.0.0
  From there, had to configure the FCIP connection:
  fcip profile 1
    ip address 10.123.10.201
    tcp max-bandwidth-mbps 30 min-available-bandwidth-mbps 20  round-trip-time-ms 5
  fcip profile 2
    ip address 10.123.10.202
    tcp max-bandwidth-mbps 30 min-available-bandwidth-mbps 20  round-trip-time-ms 5
  interface fcip1
    use-profile 1
    peer-info ipaddr 10.198.10.201
    channel-group 1 force
    no shutdown
  interface fcip2
    use-profile 2
    peer-info ipaddr 10.198.10.202
    channel-group 1 force
    no shutdown
  Thats really it.  The default gateway needed to be on the same subnet/VLAN as the Gigabit interfaces NOT the mgmt interface.  Found that out the hard way but that wasnt a big deal to figure out.
  From there, do the following command:
  sho fcip sum
  Tun prof    Eth-if    peer-ip       Status T W T Enc Comp  Bandwidth   rtt
                                             E A A            max/min    (us)
  1   1    GE1/1      10.198.10.201    TRNK  Y N N  N   N       30M/20M  5000
  2   2    GE1/2      10.198.10.202    TRNK  Y N N  N   N       30M/20M  5000
  But that was it.  Thanks for the help.

• Interconnecting CIsco MDS 9222i to the HP C-Blade enclosute VC-FC Virtual connect module

  Hi,
  Anyone had the experience of interconnecting the CIsco MDS 9222i to an HP Blade system through the VC-FC virtual connect module?
  When i connect my MDS switch to the module, the VC-FC ports dont log in to the MDS. Could i be missing out on something? I have configured the MDS to use the default VSAN 1 and tried configuring the ports as F-ports but nothing worked, even with the port mode put on auto they still take on the F-port role and still the VC-FC module doesnt log in.
  Your help and support will be appreciated
  jerrysimila

  i wanna use the CLI though i also have the fabric manager at my disposal. would you kindly
  share a sanitised version of ur running config for the mds that does the FCIP replication to the DR i see if i can make head out of it then i
  f i face any challenge will holla at u. you can email me [email protected]
  My set up is as follows, ive got 2 MDS 9222i at the primary site in active-standby mode, one connects to the active VC while the other connects to the standby VC of the blade system. Then i have a similar set up for the DR. Good thing is that am first setting everything up here in my Data Centre, then test before sending the configured equipment to the DR. So i have much freedom to get dirty with the equipment, and its not a live environment yet.
  Kindly let me know the step-by-step procedure of having the FCIP set up.

• Port-Channel issue between UCS FI and MDS 9222i switch

  Hi
  I have a problem between UCS FI and MDS switch port-channel. When MDS-A is powered down the port-channel fails but UCS blade vHBA does not detect the failure of the port-chanel on UCS-FI and leaves the vHBA online. However, if there is no port-channel between FI-->MDS it works fine.
  UCS version   
  System version: 2.0(2q)
  FI - Cisco UCS 6248 Series Fabric Interconnect ("O2 32X10GE/Modular Universal Platform Supervisor")
  Software
    BIOS:      version 3.5.0
    loader:    version N/A
    kickstart: version 5.0(3)N2(2.02q)
    system:    version 5.0(3)N2(2.02q)
    power-seq: Module 1: version v1.0
               Module 3: version v2.0
    uC:        version v1.2.0.1
    SFP uC:    Module 1: v1.0.0.0
  MDS 9222i
  Software
    BIOS:      version 1.0.19
    loader:    version N/A
    kickstart: version 5.0(8)
    system:    version 5.0(8)
  Here is the config from MDS switch
  Interface  Vsan   Admin  Admin   Status          SFP    Oper  Oper   Port
                    Mode   Trunk                          Mode  Speed  Channel
                           Mode                                 (Gbps)
  fc1/1      103    auto   on      trunking         swl    TF      4    10
  fc1/2      103    auto   on      trunking         swl    TF      4    10
  fc1/9      103    auto   on      trunking         swl    TF      4    10
  fc1/10     103    auto   on      trunking         swl    TF      4    10
  This is from FI.
  Interface  Vsan   Admin  Admin   Status          SFP    Oper  Oper   Port
                    Mode   Trunk                          Mode  Speed  Channel
                           Mode                                 (Gbps)
  fc1/29     103    NP     on      trunking         swl    TNP     4    103
  fc1/30     103    NP     on      trunking         swl    TNP     4    103
  fc1/31     103    NP     on      trunking         swl    TNP     4    103
  fc1/32     103    NP     on      trunking         swl    TNP     4    103
  Any thoughts on this?

  Sultan,
  This is a recently found issue and is fixed in UCSM 2.0.3a version .
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCua88227
  which got duped to  CSCtz21585
  It happens only when following conditions are met
  FI in End host mode
  FC uplinks are configured for portchannel + trunking
  Certain link event failures ( such abrupt power loss by upstream MDS switch )
  Padma

• About MDS 9222i config port-channel

  dear everyone~
    in project ,i need config  MDS 9222i use 4 FCIP interface connect to 7606S 4 GE port for port-channel feature,but in MDS9222i i use port-channel commad ,cannot run。
  how can i config it？
  thinks~

  Hi Sun,
  Ethernet PortChannels are not supported on MSM-18/4 modules and 9222i IPS modules.
  You can place the fcip interfaces in a fibre channel port-channel instead.
  Regards,
  David

• SSM IPS Configuration

  I have a couple of questions regarding the ASA that deal with the SSM module.
  I have read the document "Configuring ASA-SSM" and am confused by the command logic. I realize that you need to specify a service-policy globally that defines the traffic being sent to the SSM module. My concern is that the configuration document lists as one of it's steps to define an ACL for the IPS traffic and then apply it to an interface before configuring the class map, policy map, and service-policy. Why would this ACL need to be applied to an interface when it is being used for defining IPS traffic? Shouldn't the ASA send whatever traffic is defined globally in the service-policy to the SSM without attaching the ACL to an interface?
  Also, on the ASA factory default configuration there is a service-policy defined as:
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy
  class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  service-policy global_policy global
  But, if I define a global service-policy for the SSM I would lose this default service-policy as only one global service policy is allowed. Is the default service-policy providing the fixup protocol services as in the PIX that I am used to seeing? If so do I lose this functionality by applying a global service-policy for IPS/
  Sorry for the length of the post and thanks for your help in advance.

  The configuration in the IPS User's Guide is just one method for settings up the ASA to send packets to the SSM.
  It is an extremely basic configuration on the ASA where all the ASA is doing is copying packets to the SSM and the ASA is not doing any of it's firewall functionality.
  This configuration is only practical if the ASA was purchased and used only for housing the SSM and sending it traffic ( a rare deployment in the field ).
  If your ASA is already configured for firewall functionality then the only additional command(s) that need to be added to your config are:
  ips inline|promiscuous fail-open|fail-close
  Take your existing policy-map and for every class in that policy you will need to decide if the traffic should be monitored promiscuously, inline, or not monitored by the SSM.
  In your example, if you wanted to monitor all of the traffic inline on the SSM and want to continue passing traffic if the SSM fails. Then simply add the line "ips inline fail-open" within the existing "class inspection_default".
  NOTE: If you change the policy you need to understand that the new policy will only affect new connections and not existing connections.
  The only reason you would have to create additional acls and class maps using the acls would be if you did not want all of the traffic monitored inline by the SSM.
  If you want different traffic monitored promiscuous and other inline (or not monitored), then you need to include additional classes in your policy-map so that a different ips configuration line can be added for each class.

• SNMP or MDS 9222i stopped working

  Ok,
  Got two MDS 9222i switches and by some act of crazyness both have stopped responding to SNMP request. As such our monitoring tools cannot get to them. Worse still the fabric manager cannot manage them and I cannot connect to them via ssh1 or ssh2 or telnet.
  I've removed ssh and snmp setting and readded. Switch will work for around 30 seconds then drops connection and when you try reconnect it times out.
  commands removed and added
  no telnet server enable
  ssh key rsa1 1024 force
  ssh server enable
  snmp-server contact ******
  snmp-server location ******
  snmp-server community ******group network-operator
  snmp-server community ****** group network-admin
  snmp-server community ****** group network-admin
  snmp-server user admin network-admin auth md5 0xa36756487c540124176681454b62af3f priv 0xa36756487c540124176681454b62af3f localizedkey
  I've removed the names and replaced with ******, also have run no commands to remove then readded.
  Like I said once the settings are there will work for 30seconds or so then crap out.
  Running version 3.3(1a)
  Any insight would be greatly appreciated, will be upgrading kickstart and version to 4.1.1c this weekend but wanted to find the issue at hand first.
  Thanks

  So you have the same symptom of SSH and FM not working with a crossover cable? Not sure how ACS would work if you had a cross over cable in place to your PC because the ACS server would not be reachable from the MDS. It should drop to local auth and use the local user database.
  Can you try to ping the MDS mgmt IP address with the cable not connected? Just to verify there is no duplicate IP address on the network? Set up a continuous ping and let it run for over a minute if all looks good. At the 1 minute mark, unplug the mgmt 0 cable and verify that the pings now timeout.
  I can not think of anything internally that would affect both SSH and SNMP from working. They are totally different process. You mentioned it is a 9222i, so there is no chance that they sups are crashing and you are hitting a sup roll over to cause the disconnect.
  You may want to attach a local console (PC with hypertem or Teraterm) to the console port on the MDS and monitor the event logs. Perhaps there is some event occurring that might explain the odd behavior.
  If you do attach the local console, you may want to collect a 'show tech support' in case this needs to be worked by TAC.
  Thanks,
  Mike

• Cisco MDS 9222i 10G Module DS-X9704 supports FCoE

  Hi, Whether Cisco MDS 9222i 10G Module  DS-X9704 supports FCoE? i saw IP over FC in the data sheet of this module but not FCoE?
  Thanks
  Abhilash

  Also whether this 10 G interface can work as an Ethernet port and not just a FiberChannel port?

• CISCO 2851 with IPS configuration

  Hi guys,i'm planning to do an IOS IPS configuration on a newly purchased 2851 router, the spec as below:
  CISCO2851-HSEC/K9
  CISCO 2800 AdvanceIPservice :Version 12.4(15)T10
  64MB CF default
  512DDR DRAM
  My problem right now is,when i tried to configure the IPS feature,the SDM Express ver2.5 doesn't have the IPS tabs that allow me to configure. I noticed and highly suspected that is due to the express version of SDM,instead of the full/enhanced version of SDM. I tried download the full version SDM from Cisco,the file size is 14MB, and my current CF free space is only remaining 7MB.The IOS itself has used up 51MB. So i'm going to advice my customer that running IPS on the router is not possible due to the limited CF size. Can someone who experience in IPS correct me if i'm wrong. I'm fresh in security area.
  PS:i know workaround is to installed CSM on a workstation then to configure and manage this router.
  Thanks

  Hi Collin,
  Thank for your adviced.I did read thru the configuration that you posted. One line which i'm not clear about is that:
  "copy flash:/IOS-S302-CLI.pkg idconf"
  Where is this idconf?Is a flash folder or somewhere?why do we need to copy the signature file to this idconf? Or,my guess,is this idconf referred to "flash:/ips"?
  regards,

• Shoul I upgrade MDS 9222i and MDS 9124 both have SANOS 3.3.2 to 3.3.5?

  Hi guys,
  I have 2 MDS 9222i, 2 MDS 9124 and 10 MDS Blades Switches (IBM Blades) all have SANOS 3.3.2.
  All those swicthes are attached to external drives (IBM DS4800) IBM requested to upgrade this DS4800 firmware level but in order to do that they told me that I need a new SANOS I plan to upgrade it to SANOS 3.3.5 can someone tell me if this SANOS works alright? or What SANOS do yoy recommend me?
  Thanks in advance

  The Cisco TAC will always defer to your Original Storage provided when asked which
  image to run, as they (the Original Storage providers) qualify our images for use with their
  devices.
  Regards,
  Ken

• MDS 9509,9222i & 9234 configuration with HP System Insight Manager

  I have enabled the Https(Cimserver) using a dummy ssl certificate. Still my central management server (HP SIM) doesn't recognizes the switch to be a Storage Switch.
  when i run the identification query, it stops at " CIM_RegisteredProfile"

  I know there might be issues with cimserver and different versions of SMI-S solutions. SAN-OS 3.2 uses 1.1 and 3.3 and above uses 1.2. The changes are considerable and can make some SMI-S system not work well. I don't know if NX-OS is supported yet.
  I don't use HP SIM so I really can't say for sure but its worth checking on what is supported.

• IPS configuration promiscus mode(fail-open) assistance/troubleshooting

  Hi all ,
  I have 2 ASA configured in active/standby failover mode. I want to configure IPS in promiscus mode with fail-open configuration.
  i have not connected IPS with any pc through magmt port.
  I can access IPS through ASA(5520) using session 1 and able to do basic configuration using setup.
  after configuring when i try to login through ASA ASDM(IPS tab on home page of ASA ASDM) it ask for ip(managment or other ip).. I am trying to access the IPS with ip(192.168.3.74) configured in IPS using initial setup (192.168.3.74/27, 192.168.3.65) and also added access-list allowing 192.168.3.0/24.
  ASA inside ip subnet:192.168.3.64/27
  ASA DMZ ip subnet: 192.168.1.0/24
  let me know if i need to assign IPS ip from dmz range or inside range?
  Do i need to setup same IP for IPS in both ASA module?
  Let me know if i can connect to IPS from ASA ASDM using some ip(192.168.3.74) configured through setup on 443 port.?
  What access-list i should add in IPS or ASA if required?
  While setting up IPS 1st time using setup command i am not able to see the unused/monitored interface(g0/1) so that i could add both interface, which should show as per cisco doc. what may be the reason?
  IPS 6.0
  ASA(5520) 7.24
  ASDM 5.24
  Regards
  Amardeep

  You need to configure the interface properly and plug it in the network.
  The second interface is displayed different in the AIP-SSM, as  this is a logal/internal connection to the ASA.
  Regards
  Farrukh

• IOS IPS configuration

  Hi all,
  I am implementing IOS IPS on a 3800 router but I am not sure if when I enable it all the previous TCP sessions already active across the router will be dropped by the inpsect (because the IPS never saw when all those sessions started).
  Any comments are really apreciated..

  Some clarifications:
  1. the fail closed option by default is not configured. Default option is fail open.
  2. Cisco has recommend signatures files (128MB.sdf and 256MB.sdf in 4.x signature format and has basic and advanced category (in 5.x signature format). Those are recommended starting point while configuring router based IOS IPS. It has about 300 and 500 signatures respectively.
  3. If configured right, the above two set of signatures will take about 3 to 5 minutes to load and compile. And during the compilation process, the process cpu normally is high, but it wont affect data plane traffic passing the router.
  Hope this helps,
  -Chris

• ASA 5520 IPS configuration

  Dear boss
  I have a ASA 5520  with IPS in my Data center. i am using it for routing and access list.  it is running and my all 80 branches running on it.
  now i want to enable IPS.
  How i start it ?
  when i click on IPS on graphic mood an it asking an IP. what it should be ?
  what is the procedure  ?
  Is there any risk to enable it during business hour ?
  please tell me details
  Thanking You
  shahid

  Hi,
  To know more details for configuring IPS in ASA Firewall the below URL will help you
  http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html
  Regards,
  MK

• Help with first time IPS configuration

  I just installed an AIP-SSM module in our ASA 5520 firewall (protecting a school district). I successfully configured it to scan all traffic sent both directions with the following config:
  access-list IPS extended permit ip any any
  class-map ips-class
  match access-list IPS
  policy-map ips-policy
  class ips-class
  ips inline fail-open
  no service-policy global_policy global
  service-policy ips-policy global
  I also configured it to Deny Attacker Inline when RR=75-100. Figured that was a simple configuration to get things started. However, we noticed that some websites were running very slowly after I implemented these settings. What is causing this?
  I guess the other option would be to reconfigure to only scan incoming traffic initiated from the outside to help protect the district from incoming attacks. But I thought it would be more responsible of me to configure it to scan both ways to protect external hosts from an attack that a student could initiate from a school computer. Is this really necessary or am I creating headaches for myself?

  Thanks for your response. I found DocID 71204 and based on that I modified the IPS config as follows:
  access-list IPS permit ip interface outside any
  class-map ips-class
  match access-list IPS
  policy-map ips-policy
  class ips-class
  ips inline fail-open
  service-policy global_policy global (put the default back)
  service-policy ips-policy interface outside
  But now the IPS doesn't appear to be doing anything, so I must have done something wrong. I modified signatures 2000 and 2004 with an RR=100 so that any incoming pings should be seen as a high-level attack and the incoming IP denied. If I go back to the original config this test works, but not with this config (which according to the Cisco doc should send any incoming traffic initiated from outside to the IPS).