Re: Need IPS guru

NAVIN PARWAL · ‎09-07-2005

Folks,

I have been trying to get an answering to a question pertaining IPS, but, no one (not even TAC) have been able to give me a definite answer.

We have a core 6500 series switch with 10 Vlans defined. We have IPS blade installed as well on the switch. In addition to monitoring all the internal Vlans in passive mode, i want it to inline prevent malicious activity for the traffic going in and out to the internet. CCO Docs say only 1 inline pair supported at this time.

My question is that can i use a trick to achieve my goal.

Basically have 2 Vlans as part of the inline pair. One vlan would have the port connecting the 6500 to the Pix firewall (6500----pix).

And the second Vlan would be the Layer 3 interface advertised as the default gateway on the switch to go out to the internet.

All traffic coming from the layer 3 interface and going to the pix firewall would be inspected inline by the blade.

Any comments or suggestions would be highly appreciated.

marcabal · ‎09-08-2005

You can Not monitor both promiscuous and inline with version 5.0 on the IDSM-2.

An interface can either be used in a promiscuous mode or in an Inline mode. In version 5.0 it takes 2 interfaces to do InLine monitoring (int 0/7 is paired with 0/8). The IDSM-2 only has 2 sensinging interfaces so it can not do both promiscuous monitoring and inline monitoring at the same time.

If you are willing to do just inline monitoring, then your setup of connecting 2 vlans with one vlan being for the Pix and the other vlan being for the switch/msfc layer 3 interface would be a good plan.

One issue you will run into, however, is that the switch has a feature called msfc autostate. If the msfc does not detect at least one other Link UP port in the vlan with it's layer 3 interface, then it will automatically shutdown it's layer 3 interface. Some versions of the switch software (both Native IOS and Cat OS) will ignore the IDSM-2 ports when doing this check. So if the IDSM-2 is the only other port in the vlan, then the switch will shutdown it's layer 3 interface because it doesn't see a port with Link Up (IDMS-2 is ignored).

Upcoming switch versions should address this issue.

In the meantime there is a workaround where another port in that vlan is brought up and connected to another machine. That other machine could be just a simple PC providing link.

Future versions of the IDSM-2 may be able to do both promiscuous and inline monitoring at the same time.

Marco

NAVIN PARWAL · ‎09-08-2005

Marco,

Have you done this in the real world. I want to be 100% sure that i can use the IDSM-2 blade to monitor traffic (IPS) going out to the internet from internal Vlans and back.

I really wonder what the developed were thinking when they made IPS software for the IDSM blade and placed a restriction on it to do IPS functionality only between 2 Vlans. I wonder what the ideal senario would be.

Thanks

marcabal · ‎09-08-2005

I am a tester for the IDSM-2 here within Cisco.

So No I haven't done this on a live network, just in my lab network.

The reason for restricting version 5.0 to pairing just 2 vlans is because it is the first version to support inline monitoring. We wanted to be sure and thoroughly test the pairing of just 2 vlans with the first inline release.

Build a solid 1st story on the building, and the building won't fall down as you add 2nd, 3rd, and 4th stories.

Additional features to expand the InLine support on the IDSM-2 are coming out in future releases.

If there are some specific things you would like to see in these upcoming feature releases then let me know. I can pass them on to our Marketing team as feature requests if they are not already on our planned release schedule.

vtaranov · ‎12-06-2005

I wish you guys would allow to pair Vlan not only with another Vlan but also with L3 GigE, Fe or ATM interfaces, as usually the 'outside' interface of the switch is just that...