Showing results for 
Search instead for 
Did you mean: 


Cisco IPS and Cisco Mars rollout


I am preparing to roll out ISP on 38 x cisco 2911 routers. I have a cisco Mars device and i intend to setup logging on the routers so the IPS traffic will be logged to cisco mars.

I have cisco 2800 routers on the network but have been told that i need to upgrade them to 2911's to take advantage of the latest ios software needed for up to date signatures.  Not sure how accurate this.

I am looking for a few hints to see if i am going about this the right way

This is a summary of the steps i think i need

1) Download IOS IPS signature package files and public crypto key from
2) configure the crypto key used by IOS IPS onto your Cisco 2911 router
3) Enable IOS IPS on the 2900 ROUTER (i have steps for this)

The plan is to Configure the IPS on a router using cisco SDM and the save this config to noetpad and paste it into all the routers out on site.

4) Load IOS IPS Signature packages to the router

5) Add the IP address of the routers into Cisco Mars and log traffic to cs mars device

prerequisites: CCO contract so i can get the signature updates from this site

any advice is welcome



Cisco Employee


Let's take a step back.

First of all I geuss it's best to run this question by your SE(s).

Second of all considering you already own 2800 series you might look into getting AIM or NME IPS modules instead of swapping everything to 2900 and running IOS IPS.

Of course different pricing/throughput info apply.

AIM/NME IPS modules do not consume router's CPU and are in fact (logically) a separate device.

2900 have much more CPU/mem to burn.

In my experience, I have not found anyone recommending running IOS IPS in big deployment. Then again maybe I've not been talking to right people :-)




What about CS Mars.  Have you heard of anyone using this product.  I thought the idea was to enable IPS on each router and push the syslog traffic back to the CS Mars device?





MARS is used quite extensively, especially in enterprises.

That being said, I need to warn you.

IPS can work no probelm in tandem with MARS, via different mechanisms. SDEE/traps/logs just to name a few.

Indeed the IOS IPS might be the cheaper of the solutions, in which case the more powerful hardware the better.

IPS appliances will usually provide a bit more features (global correlation) and separation of roles/hardware (to some extent).



Since you already have your MARS appliance, there would be no reason not to use it for collection/correlation of your IOS-IPS events.

IPS Event retrieval (even for IOS IPS) is done by the MARS box using the SDEE protocol.  This is the same protocol/method used for communication with standalone IPS appliances.  This communication is separate from the syslog and/or SNMP reporting, which are used for the general router logging or monitoring.

So, your router will be communicating with MARS using both SDEE (for IPS) and syslog/SNMP (or both).

Kevin O' Hare wrote:

I have cisco 2800 routers on the network but have been told that i need  to upgrade them to 2911's to take advantage of the latest ios software  needed for up to date signatures.

Are you considering replacing your 28xx routers, or have the new routers already been purchased?

It's not clear in your original message whether or not you have already purchased the 2911 routers you mentioned.   

I think that the person who provided this information was confusing IOS-IPS with the IPS modules (AIM-IPS, NME-IPS).  The AIM-IPS is only supported on the 28xx/38xx platform, using the IOS 12.4T release train.  The NME-IPS, however, is supported on both x8xx and x9xx platforms.  The 29xx routers will provide increased performance with IPS in IOS, but it's not a requirement.

In the end, if you are talking about 38+ routers, adding modules might not be feasible.  Keep in mind that the software IPS takes up additional resources on the router.  If not configured properly, it can reduce performance, sometimes significantly.  Be cautious when rolling it out the feature, and closely monitor performance on your routers.



We are running it on 16 sites with 2811 routers at the moment.  We are just pricing the 2911's but havent upgraded just yet.

So its IOS-IPS on the routers that i am interested in.  We dont have a seperate module on the router, we just role out the config for IPS, drop the signature file on the router and point it to cs mars.  Seems to be working so far.


  • I have download a recent signature package - IOS-S556-CLI.pkg
  • I copied it to flash on a test router and I can access it via CLI or SDM
  • I have setup my router and put in all the config for IPS

How do i extract all the signatures from IOS-S556-CLI.pkg to an sdm file similar to 256MB SDF which has 500 signatures?

Router with IOS-S556-CLI.pkg

#sh ip ips signatures

Builtin signatures are configured

Signatures were last loaded from flash:/ips/IOS-S556-CLI.pkg

Cisco SDF release version S0.0

Trend SDF release version V0.0


*=Marked for Deletion WF=WantFrag                    Trait=AlarmTraits

MH=MinHits             AI=AlarmInterval               CT=ChokeThreshold

TI=ThrottleInterval   AT=AlarmThrottle               FA=FlipAddr

Total Active Signatures: 0

Total Inactive Signatures: 0

But if I change it back to Router with 256MB I can see 537 signatures

#sh ip ips signatures

Builtin signatures are configured

Signatures were last loaded from flash:/ips/256MB.sdf

Cisco SDF release version 256MB.sdf V10

Total Active Signatures: 537

Total Inactive Signatures: 0



Hi Better Use AIM card that is more enogh for you i think and also MARS is already EOL So in future you have to change the logging as well.(Up to 2016 cisco support will be thr).


Content for Community-Ad