02-17-2011 11:49 AM - edited 03-10-2019 05:16 AM
Hello Members,
i have an IPS-NME-K9 module in my router installed but it seems that it does not receive any packets from the router. here is the config for the IDS-Sensor Interface and the Interface from which I'd like to send traffic to the sensor.
interface GigabitEthernet0/0
description CONNECTION TO MPLS BACKBONE
no ip address
duplex full
speed 100
no cdp enable
!
!
interface GigabitEthernet0/0.100
description CONNECTION TO VRF VRF100
encapsulation dot1Q 100
ip vrf forwarding VRF100
ip address 172.16.2.14 255.255.255.248
ids-service-module monitoring inline access-list 100
no cdp enable
!
interface GigabitEthernet0/0.103
description CONNECTION TO VRF200
encapsulation dot1Q 103
ip vrf forwarding VRF200
ip address 172.16.11.6 255.255.255.248
ip flow ingress
ip flow egress
ids-service-module monitoring inline access-list 100
access-list 100 permit ip any any
and here is the statistic from the module.
# show statistics virtual-sensor
Virtual Sensor Statistics
Statistics for Virtual Sensor vs0
Name of current Signature-Defintion instance = sig0
Name of current Event-Action-Rules instance = rules0
List of interfaces monitored by this virtual sensor = GigabitEthernet0/1 subinterface 0
General Statistics for this Virtual Sensor
Number of seconds since a reset of the statistics = 10137
MemoryAlloPercent = 51
MemoryUsedPercent = 49
MemoryMaxCapacity = 614400
MemoryMaxHighUsed = 432128
MemoryCurrentAllo = 317667
MemoryCurrentUsed = 302192
Processing Load Percentage = 1
Total packets processed since reset = 0
Total IP packets processed since reset = 0
Total IPv4 packets processed since reset = 0
Total IPv6 packets processed since reset = 0
Total IPv6 AH packets processed since reset = 0
Total IPv6 ESP packets processed since reset = 0
Total IPv6 Fragment packets processed since reset = 0
Total IPv6 Routing Header packets processed since reset = 0
Total IPv6 ICMP packets processed since reset = 0
Total packets that were not IP processed since reset = 0
Total TCP packets processed since reset = 0
Total UDP packets processed since reset = 0
Total ICMP packets processed since reset = 0
Total packets that were not TCP, UDP, or ICMP processed since reset = 0
Total ARP packets processed since reset = 0
Total ISL encapsulated packets processed since reset = 0
Total 802.1q encapsulated packets processed since reset = 0
Total packets with bad IP checksums processed since reset = 0
Total packets with bad layer 4 checksums processed since reset = 0
Total number of bytes processed since reset = 0
The rate of packets per second since reset = 0
The rate of bytes per second since reset = 0
The average bytes per packet since reset = 0
thanks for your feedback
alex
Solved! Go to Solution.
02-22-2011 02:56 PM
Hi Alex,
As Matthew mentioned previously, for the NME module, the access list defines what traffic will NOT be inspected.
If you want the NME to inspect all traffic, you should change the access-list to DENY all traffic.
So, change it into "access-list 100 deny ip any any" in order to inspect all traffic.
Thanks,
Stijn
02-22-2011 02:22 PM
I can't locate the config guide, but I'm fairly certain that the acl describes the traffic that will
NOT be forwarded to the module (daft but true). The "permit ip any any" is steering all traffic
away from the module.
Matthew
02-22-2011 02:25 PM
http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliAIM.html#wp1044942
Step 4 (Optional) Configure a monitoring access list on the router:
router(config)# access-list 101 permit tcp any eq www any
You can set up a standard access list and apply it to filter what type of traffic you want to inspect. A matched ACL causes traffic not to be inspected for that ACL. This example bypasses inspection of HTTP traffic only. Refer to your Cisco IOS Command Reference for more information on the options for the access-list command.
Matthew
02-22-2011 02:30 PM
Hi Matthew,
i have the access-list
access-list 100 permit ip any any
and i can see the hits on the acl. I believe it has something to do with the VRF's i have configured on the router.
regards
alex
02-22-2011 02:56 PM
Hi Alex,
As Matthew mentioned previously, for the NME module, the access list defines what traffic will NOT be inspected.
If you want the NME to inspect all traffic, you should change the access-list to DENY all traffic.
So, change it into "access-list 100 deny ip any any" in order to inspect all traffic.
Thanks,
Stijn
02-22-2011 03:09 PM
Cool, thanks Stijn
i should better read next time
regards
alex
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide