Deployment device 42xx Cisco IDS network taps

Hi all

Someone at - he experiences of deployment of IDS 42xx (4235 and 4215) appliances with network taps (e.g. Finisar UTP IT Tap/1)? I have several of the device IDS deployed a few months back using the taps of Finisar, and thought that it worked fine, until I discovered that I have am capture only one side of the circulation, due to the nature of the taps! It seems that I need to put in another card network on the device IDS (a Cisco 4235), but is - it possible? Is there a way I can turn the power of 4235 on channel binding or Etherchannel?

The last option, I think if the ideas above are not possible is to put in another switch and reflect the two ports from the tap water, but that doesn't look good for the final cost...

Suggestions are most welcomed!

Thank you

Kian Wei

Monitoring network taps with a Cisco IDS device is not officially supported by Cisco.

That said, howewever, several customers have successfully deployed with taps.

Faucets, as you've seen have 2 outputs.

If tap is placed on the connection between computers A and B, one of the outputs will be for traffic from A to B, and the other will be for traffic from B to A.

To analyze the tap water, the sensor will need to see the two outputs.

You could do this by connecting the taps to a switch and then extending over 2 ports to the IDS sensor monitoring port.

Or you may be able to use a second interface on the sensor itself.

The IDS-4235 4250 IDS and IDS-4215 are able to be upgraded with a 4 ports 10/100 card, for a total of 5 ports to sniff.

If the connection you type is a 10Mb or 100 MB connection, then purchase 4 port 10/100 for the sensor and the 2 tap on 2 of the ports of the NETWORK adapter card.

NOTE: The sensor combine incoming packets on all interfaces and treat them as if they are part of the same network.

You just need to place all interfaces in 'Group 0' and select 'non-stop' each sniffing interface.

Here is the part number for the 4 ports 10/100 cards:

ID-4FE-INT =

Refer to the installation guide for more information on how to install the card and to configure the sensor:

http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids10/hwguide/index.htm

Now if you type is a 1 Gig copper or fiber optic connection then you will need to buy a switch to combine 2 outputs from the taps and extend towards the sensor sniffing port.

Cisco currently offers no additional copper Gig cards.

Cisco offers a map of fiber unique Gig for the IDS 4250 SX port but can't stand not place these cards in the sensor 2.

Cisco also offers a dual port fiber Gig, known as the XL card. The XL card has hardware acceleration for the monitoring of the faster speeds. However, the XL card does not currently work with taps.

So if followed by a 10/100 connection then try the 4 ports 10/100 card, but if touching a Gig connection, then you will need a switch to aggregate outputs 2.

What some users have also done is to use the switch and do not worry with the faucet.

They connect computer A to machine B to the switch and the switch. Then cover the traffic to the port of the sensor.

Tags: Cisco Security

Similar Questions

  • Ontario Regulation the upgrade of Version 4.0 of Cisco IDS to 5.0

    Dear Happs / marcabal

    I have one of the IDS 4215 4.1 (1) Version with the details attached. I want the same thing to 5.0 and 6.0. So I install the 5.0 (1e) S149 major to upgrade to 5.0 first release

    The following is written in the read me file for the package of service IPS-K9-maj-5.0-1e-S149.rpm.pkg

    "For ID-4215, you must also make sure that you have upgraded the BIOS to the version.

    5.1.7 and the ROMMON version 1.4 "

    So I downloaded the upgrade utility mentioned above; However, I need to know following

    (1) how to check the current BIOS and the ROMMON Version in ID

    2) to upgrade the BIOS and ROMMON Version, can I do my dekstop (Windows XP) as a server TFTP we manage remote (LINE of LEASE), customer IDS, or do I need to have a local instead of customers himself (in the cisco IDS network beach only) which can be made as TFTP server

    (3) also please let me know how do I know the IDS 4.0 license and if no license is available then, can still update us to version 5.0?

    There is no version 4.x license, licenses began only in version 5.0.

    You can improve your 4215 to version 5.1 or 6.0 unlicensed.

    The minimum versions of BIOS update and forms are easily searched on CCO.

  • General questions Cisco IDS

    We are evaluating deploying a Cisco NIDS on our network. Someone told me that the Cisco IDS solution is based on NT (?). Say it isn't so!

    Also, the module NESTS or IDS can detect common IIS attacks like buffer overflow, cross-cutting to code red/blue/etc directory. ? The ID in the PIX firewall detect these attacks?

    Thanks for your time.

    With the code ID 4.0, all sensors that support this code run Linux, including autonomous sensors and the new JOINT-2.

    In the old code 3.0, stand-alone devices ran Unix, while the blade of sensor for the 6500 has Windows.

    Here is a link to the chapter on the engines of the 4.0 code signing:

    http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids9/idmiev/swappa.htm

    This will give you an excellent overview to the power of signature IDS 4.0 engines and the list of signatures, which includes most of the signatures you mention above.

    hope this helps,

    Peter

  • What layer are FI in the Cisco hierarchical network design model?

    What layer are FI in the Cisco hierarchical network design model?

    Is this a straigh question? We have a Nexus 7 k for our heart and Port-channel of the FI for them. So for me it layer distribution.

    But when we attach to the NAS. Isilon devices we use between the FI and N7K N3K. This would make the N3K and FI both part of the Distribution layer? Would not be considered layer. However, it does not ACL etc. which usually belong to the Distribution layer.

    I was wondering thoughts people on it. Is the UCS FI and 'One Off' in the model of 3 layer?

    Thank you!

    Craig

    FI can sit to your dist layer. or access.  I've seen deployments where they are deployed at the same time, depending on the size of the cluster of the UCS and band network bandwidth. The distribution layer is usually to be where all the magic of layer 3 arrives (routing, ACL, QoS, FW, application of strategies etc.) and UCS being strictly Layer 2, it could be classified as a device to access-layer.

    Designs are flexible and as long that you consider oversubscription adjusted, you should be fine with the deployment option.

    I hope that others will share their ideas

    Kind regards

    Robert

  • Module IDS network

    -What can someone tell me if the Cisco IDS (NM-CIDS) network module can capture virtual local network traffic, or it can only capture the traffic passing through it. If it is possible, how can I do?

    Hi Biao,

    The NMCIDS module gets traffic on its interface sniff of the router in which it is located. The detection interface is not connected to switch to use the extended configuration.

    You need to activate the interfaces you want (including the subinterfaces) on the router to the package tracking. You can select any number of interfaces or subinterfaces to monitor. The packets sent and received on these interfaces are passed to the NM-CIDS for inspection. Activation and deactivation of the interfaces is configured through the CLI (Cisco IOS) router. So there is no way capture you the switch VLAN traffic.

  • Cisco IDS 4215 signatures update

    Hello people,
    We have a few Cisco IDS 4215 and would like to know if the upgrade of signatures, we can remove those released previously or whether precedents should not be eliminated.

    Information system of these devices.

    ***

    TAC-contact information
    URL: http://www.cisco.com/public/support/tac/home.shtml/
    Phone: 1 (800) 553-2447

    Sensor time is 110 days.
    Platform: IDS-4215-4FE-K9
    Boot partition: application

    Partition: application
    Build version: 6.0 (6) E3
    Host:
    Domain keys key1.0
    Definition of signature:
    Update of the signature S439.0 2009-09-30
    Virus update V1.4 2007-03-02
    OS version: 2.4.30 - IDS-smp-bigphys
    Applications
    MainApp
    N NUBRA_2009_JUL_15_01_10_6_0_5_57 2009-07-15 T 01: 15:08 - 0500 ipsbuild
    The executing State: running
    AnalysisEngine
    N NUBRA_2009_JUL_15_01_10_6_0_5_57 2009-07-15 T 01: 15:08 - 0500 ipsbuild
    The executing State: running
    Updates installed
    Update name: IPS - K9 - 6.0 - 6 - E3
    Once installed: July 15, 2009 18.48.06
    Update name: IPS-GIS-S439-req - E3.pkg
    Installed time: 6 October 2009 13.07.55
    Next lower upgrade:
    Partition: recovery
    Build version: 1.1 - 6, 0000 E3

    PEP Udi chassis
    Description sensor unit IPS 4215
    PID ID-4215-4FE-K9
    vid V01
    SN 88808513168

    Memory usage
    usedBytes = 377655296
    freeBytes = 132685824
    totalBytes = 510341120

    Use of the disk
    the application data uses 33.2 M off 166,8 M bytes of disk space available (21% of use)
    start using 37.6 M off 68.6 M bytes of disk space available (58% of use)
    Application log using 529,5 M off bytes of 2.8 G of disk space available (20% of use)

    ***

    Many thanks in advance,

    Luca

    Luca;

    Signature updates are cumulative, so you can simply ask the S493 update.  A caveat, however, if you need to make a big move in the signature release (say S470 to S493) it is usually more effective to make small updates (especially on a platform of low memory as the IDS-4215).

    Scott

  • Cisco IDS 4.1 probes in HA? monitor package drops?

    Hello

    can someone tell me if Cisco IDS sensors provide high availability or failover capabilities? If so, how and where to fix?

    Is there a form any notification drop package when sensor starts a fall of packages under full load?

    Hello

    IDS sensors do not provide high availability or failover capability.

    Under a high load of the sensor can be configured to alert of hamid question the 993 which States "package dropout rate exceeded the threshold. This threshold is set by default to 5% (Total dropped packets / Total packets received in a time interval). You must enable this GIS as it is disabled by default.

    Hope this helps

    Thank you

    Madhu

  • Cisco IDS Vs Websense

    I have a n race pix firewall and I m trying to install hardware cisco IDS.

    I want to know if cisco ids and/or pix can help me to have as much control over the access to the internet as websense.

    I know that websense has 29 categories of content at the base that can be used to block outgoing traffic and pix and ID basically area limitation of incoming traffic and classification actions as attacks respectively.

    I have to justify if we need or don't need with cisco ids websense and websense and would appreciate your comments.

    You're talking about two different animals here. Websense looks at the URL used by the user to access the sites. Based on the strategies defined at Websense, the URL is allowed or denied. The PIX sends the URL of the Websense server before allowing the connection to the server. The ID decodes packets and does not care what the URL. You will need two systems for better protection.

    I don't recommend Websense. I carried out an audit of a websense server and it blocks all the URLS and I saw problems with the reportng function. A better product is Vericept.

  • Deactivate the filter driver Cisco AnyConnect Network Access Manager

    I hope that it is the community just to post this in.

    I was wondering if it is possible to script disable the "Cisco AnyConnect Network Access Manager filter driver" for a LAN connection?

    By comparison to the registry before and after it is manually turned off via Control Panel control-> network and Internet-> network-> connection to the Local network connections, I came with:

    : remove the filter Cisco AnyConnect Network Access Manager driver
    : the list of filters for the LAN adapter
    reg delete HKLM\SYSTEM\CurrentControlSet\Control\Class\ {4D36E972-E325-11CE-BFC1-08002BE10318} \0007\Linkage /v FilterList/f

    : import the Cisco AnyConnect Network Access Manager filter driver
    : to the list of filters, excluding the LAN adapter
    Reg import linkage - no - lan.reg

    : remove the filter Cisco AnyConnect Network Access Manager driver
    : the network of the LAN adapter config
    reg delete HKLM\SYSTEM\CurrentControlSet\Control\Network /v /f Config

    : import the Cisco AnyConnect Network Access Manager filter driver
    : to the network with the exception of the LAN adapter config
    Reg import network - no - lan.reg

    : Remove the adapter LAN of the list of maps where the
    : Cisco AnyConnect Network Access Manager filter driver is used
    reg delete HKLM\SYSTEM\CurrentControlSet\services\acnamfd\Parameters\Adapters\ {77197E43-5875-469F-A3A5-A97F63A32E0A} /f

    This disables 'Cisco AnyConnect Network Access Manager filter driver' to connect to the local network, but it is not automatically to my wireless connection.  However, if I manually in a not checked the "Cisco AnyConnect Network Access Manager Filter Driver', the connection automatically changes my wireless.

    The end result, I'm looking for must be able to use a wireless connection and at the same time be able to use the connection to the local network, when I connect directly to some work equipment to download the firmware files.

    Any thoughts would be greatly appreciated.

    Thank you.

    Hi Paul,.

    Instead of hacking the registry, you can use nvspbind.exe for this task.  You can download the tool here.  It will be also NAM automatically mode interfaces.

    https://Gallery.technet.Microsoft.com/Hyper-V-network-VSP-bind-cf937850

    Disable: nvspbind.exe /d "Wireless network connection" csco_acnamfd

    activate: nvspbind.exe/e 'Wireless network connection' csco_acnamfd

    Thank you.

  • How to monitor a Cisco IDS 4215 (version 6.0)?

    Hello

    I am new to this IDS and need an inexpensive or open source to collect and store the logs of this device.  It seems that the unit can only store a day or two of his own newspapers and I need to collect 1 year.  I have Red Hat linux machines at my disposal, but can use Windows devices or other forms of Linux if necessary.  It would be great if I could just have this thing log to a file on a Linux server on the local network. I can then configure scripts to view and create reports on the balls.

    I installed the IDM on my Windows desktop and can connect to the IDS, but don't see a way to collect newspapers, to trigger alerts by e-mail or create reports.  Is there something Cisco offers (without additional purchase) for this?

    Thank you

    Paul

    For email alerts, you can use IPS Manager Express http://www.cisco.com/en/US/products/ps9610/index.html I think that he will succeed up to 10 IPS sensors.

  • E4200 fundamental Question - how do I know what devices are on the network and get their IP?

    I went through all the controls on Cisco Connect and router advanced settings and have been unable to know what is connected to the network wireless router and address of IP addresses.  Cisco Connect tells me there are 7 devices with and that's it.

    Could someone please point me to a FAQ/Manual explain how to do this?

    Thank you very kindly.

    go to your router configuration page (http://192.168.1.1), then go to the State, and then LAN sub-tab. Click on the button of the DHCP Client Table.

  • 0 x 80070035 and 0X80004005 error codes when you try to connect to other computers and devices on the same network - unable to connect to the shared devices.

    I have a network consisting of Windows 7 laptop computers, an XP laptop and a Wireless Linksys (Cisco) WRT610 N + N with storage attached to it via its USB port.  Your PC Windows 7 has, since I can see and access to other computers and devices on storage.  Since Windows 7 PC B I can not connect (via the file manager) to A PC or NAS storage network.  Get such as 0 x 80070035 and 0X80004005 error codes when you try to connect to the IP address on the device name.  When I ping the devices of PC B I have no trouble to achieve.

    I turned off all firewalls, added the LMHOST file entries and a myriad of other tests and still cannot connect to PC B devices.  I can surf the net fine and do everything else - simply cannot connect to other devices even if these other devices can connect to me.

    I was in there for 22 years and has worked as an engineer on major networks and the network I stem - anyone got any idead. I checked all the basics such as Netbios, file sharing etc etc.

    It took a reinstall (upgrade) to get actually it works again.

  • Unknown device on a home network

    I have a Cisco modem and connect my laptop on the same wireless network, which is a connection, but I have a? on my network and its an unknown device... what or who is this?

    Log into the router and try and find a page that lists the connected devices. Remove devices you can work on what they are, then look at the unknown items. With most routers it will list the MAC address of each unit so note 3 1 number for any unidentified two characters. Go to this site http://www.coffer.com/mac_find/ and enter the recorded values and say which manufacturer the MAC address has been assigned to.

    Typical findings include mobile phones, tablets, games consoles and satellite receivers. These frequently do not correctly identify.

  • SNMP device through cisco TMS

    Hello

    I have some devices (2 CTS 3010, CUCM, GST of VCS - C and 3 2 1) managed by a Cisco TMS. I want to monitorate all devices to a network/system like HP OpenView management tool.

    Is it possible to leave the TMS works as a server snmp / trap receiver, and transmit received traps to network management tool? In other words, is there a way to configure trap forwarding in TMS?

    The TMS, I configured the IP address of HP's OpenView under network configurations, but it doesn't seem to work.

    On CUCM, I configured the Ip address of the TMS as trap receiceiver.

    Thanks in advance

    Hello

    TMS uses only SNMP interruptions for older systems (MXP, TANDBERG classic). Traps SNMP of newer systems (series C, CTS, MX, E20, SX20 etc.) and products (CUCM, VCS, MCU, gateways) network infrastructures are ignored by TMS. (it's not mentioned as well in the documentation, but I'll look in there clarifying). So no, you can't configure the transfer of trap in TMS.

    But why do you need TMS to send traps to an external system; could not do of your endpoints send traps directly to the external network management tool?

    Kind regards

    Kjetil

  • Fixed deadlines on the device as a single network to control access ethernet?

    I have a network running on an Airport Extreme as the base with a Time Capsule and Airport Express station used to extend the network in my house (see photo)

    I put dates limits for our son using Airport utility in the past with great success. However, since then is online gaming, he began to relate to the time Capsule using ethernet port to the place we have now discovered is not controlled by the deadlines in Airport utility because it uses the ethernet connection.

    What I want to know is if I can now set deadlines to control wifi access to the time Capsule itself. I already added a control using the MAC address I found in Airport utility (listed as location of wifi - Channel 9). Or should I use the Ethernet MAC address? (see photo below) It will work to set limits of time just so that one device?

    No.. Sorry... timed access only works on wireless clients.

    If you want more controls that you need a better than the Apple router.

Maybe you are looking for

  • Site Web container appears to the right of the menu in Firefox

    I'm working on a website and everything looks fine in Chrome, IE, Opera and Safari, but when I use Firefox, the container is appearing next to the menu, instead of under where it should be. It is not centered for Firefox or something is wrong. Any id

  • Missing BIOS settings Satellite C660

    Hey everybody, I use my Satellite C660 Notebook for some productions of music and I try to get my extern Interface Audio Presonus working. Everything is fine so far except some occasional crackling sounds in the audio interface. After correction of s

  • 5420 MG will not print text. Only graphics

    Hello ~ I just bought the printer MG 5420, after the death of the previous Canon printer.  When I printed the test page, it only printed the image of Microsoft of four small diamond, without text. My computer runs on Windows XP.  I downloaded the dis

  • How to use Microsoft paint on another account?

    I would use Microsoft Paint on the account of the student on my Parent account.I have open office on my parent account, but I don't like the draw as well as Microsoft paint.Can I apply the Microsoft Paint on the student account on my Parent account w

  • What should I do to open a link in the incoming e-mail

    When I receive an email with a link to this topic, I click on it and then it hangs for a while, but still does not open.