Showing results for 
Search instead for 
Did you mean: 


Community Manager
Community Manager

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Charlie Stokes about Intrusion Prevention Systems. Charlie works as an Intrusion Prevention Systems (IPS) technical marketing engineer and has been a network security specialist for over eight years. Charlie came to Cisco as part of the Wheelgroup acquisition in 1998 that brought Intrusion Detection Systems (IDS) technology into Cisco. After the acquisition, he worked in the Technical Assistance Center (TAC) for two years covering the Security and VPN products. Since 2000, Charlie has been covering IDS/IPS products as the lead technical marketing engineer.


Remember to use the rating system to let Charlie know if you have received an adequate response.


Charlie might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through February 10, 2006. Visit this forum often to view responses to your questions and the questions of other community members.

65 Replies 65



I have 2 4255s installed at 2 sites inline with pix firewalls (between the inside interface and the switch). I want to block all P2P file sharing but my question is about Bittorrent connections.

I configured signatures 11020, 11030, and 11031 to block attacker inline but swap attacker victim. I did this so that the external and not the internal IP addresses were added as active host blocks. Additionally, I have those 3 signatures configured to deny connection inline and deny packet inline (and alert). Probably overkill but that's how I have it.

My problem is that it looks like Bittorrent connections are still getting through the 4255s. The reason for my suspicion is I'm seeing lots of response connections being blocked inbound at the pix external interface.

Some additional information - for Bittorrent connections, MARS shows the green "S" in a circle which means that MARS interprets these as system false positives.

Also, many (but not all) of the blocked return connections have a source port of 6881 but all have a destination port of 60235.

I know the inbound block connections are caused by the Bittorrent outbound connections since they ONLY occur when outbound Bittorrent activity exists. The graph in MARS verifies this and they taper off over time.

Any ideas on this would be appreciated.


Frank C.


Hi Charlie,

I am looking to get a higher volume of data through my IDS’s. It has been suggested by our Cisco engineer that we consider using EtherChanel load balancing to get a greater throughput than 1Gb. My questions have to do with aggregating several sources of information into the EtherChanel load balancer and being able to parse that data out later.

How easy/difficult would it be to use the IPS’s capability to manage the data flow on several different gateways and keep each gateway’s (vlan pair) data separate (separately reportable) if the separate vlan pairs are trunked to the Etherchanel?

Using Etherchanel load balancing, how would you shun on one device versus another or do you have to apply the same rules to all shunning devices?

Can you discuss any future plans, if any, to provide a virtual IDS/IPS appliance kind of like the FWSM for firewalls?

Say you have a 3 vlans you want to do IPS inspection on (1,2, and 3) and that you connected those vlans into the network using new vlans (11, 21 and 31) where 1 is bridged to 11 and 2 to 21 and 3 to 31 using IPS. Now if you had 4 sensors that were all grouped together into an Etherchannel group, and were all configured to watch the same sets of vlan pairs (1<->11, 2<->21, 3<->31), then the events that comes off the group would all have the vlan information in the event itself and those events could be sorted by this vlan information. So regardless of the sensor, if the vlan pair information was 1<->11, then the event came from that pair.

EcLB for devices in an Etherchannel changes somewhat since only one sensor can actually control a network device at the same time (at the same ACL inspection point). So if you had 4 sensors that you wanted to use to shun on one router, you would need to take advantage of the Master Blocking Sensor functionality. As to makeing changes across multiple devices, that is done automatically and it is global and applied to all configured blocking points (network devices).

Not real sure about virtual IPS appliances. If you are referring to modules that do IPS, the IDSMv2 does IPS today using either 5.0 or 5.1 code. If you are asking about virtualized configuration support as first showed up in FWSM but is part of all Pix 7.0, ASA 7.0 and FWSM devices today, then that is on the committed roadmap for the future. Specific dates I can't release on this forum, but feel free to ping your account team about this question.