IDS on switch

Similar Questions

• VACL vs. SPAN

  Hello

  I have a question about JOINT-2 on the 6500 cat.

  Is there than some performance issues for use VACL rather than the LENGTH?

  Thank you

  Graz.

  Actually, the material on the official course of Cisco Secure Intrusion Detection System (CSIDS) , specifically Chapter 8 - setting up JOINT, says that the JOINT-2 "provides a solution IDS in switch providing access to data via VACL capture, SPAN or RSPAN streams".

  It clearly indicates (as well as the documentation of IDSM2 - http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_installation_and_configuration_guide_chapter09186a00801a0c95.html#wp589548) that the port 7 and 8 on the IDSM2 are the monitoring of ports.

  They are able to control up to 2 sessions of RX SPAN, 4 TX SPAN sessions or 2 sessions SPAN RX + TX. The only factors are that the total amount of traffic split may not exceed 600 Mbps and limitation on sessions SPAN limit the number of ports in the chassis Catalyst 6500 which can have their monitored traffic. (NOTE: new Info based on the information contained in the manual of course)

  WRT VACL, Cisco says that the VACL, whereas it is more difficult to configure than SPAN, is the preferred method to send traffic to the IDSM2 "because it allows a subset of traffic must be copied and forwarded to the IDSM2, limiting the amount of traffic, it must treat and more also potentially allowing traffic to additional ports in the chassis to analyze.

  Given this information, it would seem that VACL (when properly set up and used) is more powerful and less stressful for the IDSM2 as SPAN.

  Alex Arndt

• Linked IDs could not be changed

  When I click on "MANAGE IDs-RELATED", I get this error message:

  Sorry, this service is not available now. If you have linked IDs, they always connected when service is restored. Help, please.

  Please help me to go beyond that. I need to switch IDs in order to stop my account sending spam e-mail.

  Thank you.

  Updates on this topic, please see the following thread. Thank you.

  http://windowslivehelp.com/thread.aspx?ThreadId=d0777928-92De-46B4-BF93-3abe82736e14&page=2

• Module IDS network

  -What can someone tell me if the Cisco IDS (NM-CIDS) network module can capture virtual local network traffic, or it can only capture the traffic passing through it. If it is possible, how can I do?

  Hi Biao,

  The NMCIDS module gets traffic on its interface sniff of the router in which it is located. The detection interface is not connected to switch to use the extended configuration.

  You need to activate the interfaces you want (including the subinterfaces) on the router to the package tracking. You can select any number of interfaces or subinterfaces to monitor. The packets sent and received on these interfaces are passed to the NM-CIDS for inspection. Activation and deactivation of the interfaces is configured through the CLI (Cisco IOS) router. So there is no way capture you the switch VLAN traffic.

• Basic IDS module configuration

  I have some basic configuration questions to ask questions about a module IDS in a router 3725.

  (NM-CIDS)

  1. the interface of the module must be configured as a normal interface like any other fast ethernet interface. If so, how do I enter the web configuration of the sensor? I can t give the sensor a IP on the same subnet as another interface, so I have to create a VLAN on my switch and install a new network adapter on a computer just to access the sensor?

  2. I want to use the sensor to monitor my internet connection. My internet come in the router where the sensor is, but not on the sensor interface. So I added the line: ID-service-module of surveillance on the internet interface. I m now, assuming that the sensor monitors this interface, but it can block t any IP address on it can it? Can I use the interface of s sensor as my internet connection? It will route traffic to the router as any other interface?

  3. If the probe to be on it's own subnet, I can get t the licensing of auto update, since this new subnet as no access to the internet.

  I must admit, I was a bit confused as the basis of this module menu, documentation is clear on how to implement and I did, I even upgraded the sensor to version 5.0, but the basic idea behind it and basic configuration is not clear, he only tells me the reasons for the separate subnet.

  Can someone guide me in the right direction?

  My goal is to install the sensor for connection to the internet society that is currently connected to a fast ethernet on the router card and send events to a syslog server that I'm being followed.

  Thank you

  Bernard Magny

  The NM-CIDS has 2 interfaces, you have to deal with.

  The internal interface on the backplane of the router and an external interface that you can plug a wire to.

  In addition, it has an interface of the router on the backplane of the NM-CIDS router. This background basket of the router interface and the internal interface of the NM-CIDS may be considered to be wired together.

  To think of the NM-CIDS, the simplest method is to consider a PC that sits inside the router.

  It can easily be compared to a device IDS.

  The internal of the NM-CIDS is the interface to sniff. NM - CIDS does not have this internal interface to an IP address. It is used only for the reception of packets from the router for the follow-up and sending TCP resets.

  The router has its bottom of basket interface that corresponds to this interface to internal sniffing NM-CIDS. You must obtain an IP address from the router interface NM - CIDS, but no traffic will never really "routed" to it. If most of the users will be either assign a non-routable address or a loopback address, or do share an address with an other interfaces of the router.

  This address is NOT used to configure or control the NM-CIDS using a nonroutable loopback address is often the best thing to do.

  This router interface and NM-CIDS background basket can best be compared to a port span on a switch controlled by a device.

  The "ids" command applied to a physical interface of the router is like "covering" this interface.

  The 'split' traffic is copied to the destination port "span", which is the bottom interface of router for the NM-CIDS basket. Once these packages are copied into the bottom of the router on the NM-CIDS slot basket, then the internal port of the NM-CIDS will sniff and analyze packets.

  If the real package comes in an interface of the router and get "routed" to another interface on the other. If there is an 'ID' command on one of these 2 interfaces then these packages will be also copied ("split") in the NM-CIDS for surveillance. So the NM-CIDS amd the corresponding interface from the router backplane are not in the path of the package and are only a copy of the package.

  NOTE: Technically, the package doesn't is not 'stride' because 'covering' is only taken in charge by a switch, but the majority of users to understand the concept. And the concept is what I'm trying to convey.

  Now the external port of the NM-CIDS is the port command and control. This is where you have assigned an IP address. Understand that this is NOT a router interface. He will not participate in routing protocols. All packets destined for this port will stop at the NM-CIDS.

  This port is better compared with the command and control of a device IDS sensor port. The port address is used only to talk directly to the IDS sensor.

  So what address to to affect?

  The best method is to give an address on your internal network more secure and phsyically in this network, all taking as you would for any other PC (or the port command and control of a device ID).

  Since this interface the NM-CIDS is not a router interface and does NOT participate in routing, then it's OK for the router itself to have an interface on the same subnet and be connected to the same switch and the same vlan as the external command and control NM-CIDS interface. In fact, it's exactly what most users do. In addition, IP from the router on that subnet is usually the default gateway configured on the NM-CIDS for its command and control interface. If you think that the NM - CID is a PC, so it makes sense.

  Some clients may have a special network for the management of their security devices (usually only large companies). In these scenarios, NM - CIDS command and control can be placed on a network that is not routable even by the router, in which he was placed. It's pretty rare, but it is possible to do.

• IDS 4215, good place for an interface sniff (LAN or DMZ)

  I have this sensor with two interfaces only at work, I was asked to check that

  See the IDSWORK version #.

  Application partition:

  The Cisco Systems Version 1.0000 S47 Intrusion detection sensor

  2.4.18 - 5smpbigphys-4215 OS version

  Platform: IDS-4215

  an interface that is Ethernet 0 connected to switch in the DMZ, and 1 Ethernet connected to switch 4005, logically I have to monitor DMZ not switch box 4005 (since I had only two interfaces, my case), I'm right?

  That means that ethernet 0 should be to sniff (surveillance) since it is connected to the DMZ and interface 1 for command and control, since it is connected to switch 4005, but according to cisco specifications

  http://Cisco.com/en/us/products/HW/vpndevc/PS4077/products_configuration_guide_chapter09186a008055df7d.html#wp1051279

  Table 5-2

  FastEthernet0/0: Interfaces supporting VLAN pairs Inline (port detection)

  FastEthernet0/1: Interfaces do not support Inline (command and control Port)

  Note: Cisco has mentioned FastEthernet, one I had Ethernet, makes all the difference?

  Because I did not have this configuration, he made by another, should I change this?

  It seems that your credentials are equipped with the basic ports (2 x Ethernet) with E0 C & C port, while E1 is followed by port.

  BTW, Ethernet/FastEthernet ports are in fact the same.

  To monitor your DMZ segment, then place the E1 in this segment, as E0 on inside segment where in addition to directing the Manager of its web management or CLI interface box, you probably can use basic VMS that comes free with it.

  And since you have dedicated switch to host the entire DMZ segment, you can easily monitor box (SPAN) all and send all traffic to the IDS.

  If you need to change the configuration, you may need to test at least to verify signatures is enabled/disabled and pc/mgt host is allowed to access the box and so on. But it is a good practice for audit and review the new config/setup, as it is a security zone, you need to do to monitor trust and you talk about all the possible threats, attacks or violations.

  HTH

  AK

• The upgrade of Cisco IDS 4235

  Currently, we are conducting 5.1.3 GIS 257. I know I'm behind and want to also include DST updates. If I switch to 5.1.4 or 5.1.5 What is the version that I will need to upgrade to these Service Packs? 5.1.3's 257 enough?

  Thank you

  Dwane

  You can go to 5.1. (5) .. minimum required for this upgrade is 5.0 (1) for users of CLI and IDM. This Service Pack includes the update of the Signature S272. With regard to the IDS/IPS devices, its always preferable to run on the latest versions.

  Kind regards

  Maryse.

• Connect FI two directly attach FCoE storage and SAN switches

  Nobody tells me if I can connect FI two directly attach FCoE and SAN storage switches also, as you can see in the diagram of connected network?

  If so, should I FC Switch function Mode? Any concerns should I consider?

  Or the best solution would be appreciated. Thanks in advance.

  The UCS will be in Switch Mode FC, which means that it has a default area.  We cannot make a Zone merge with Brocade because we have no control to set up specific items such as domain and other articles CF IDS that need to be changed when you connect a Cisco FC switch to a Brocade.

  Usually in this situation with a 5 k or a MDS you might be placed in mode of interoperability, which changes the default settings and we will talk to them together - in this case, you can't change these settings, so the only supported configuration is CF Cisco at Cisco.

  See you soon,.

  Greg Scarlett.

• Deployment device 42xx Cisco IDS network taps

  Hi all

  Someone at - he experiences of deployment of IDS 42xx (4235 and 4215) appliances with network taps (e.g. Finisar UTP IT Tap/1)? I have several of the device IDS deployed a few months back using the taps of Finisar, and thought that it worked fine, until I discovered that I have am capture only one side of the circulation, due to the nature of the taps! It seems that I need to put in another card network on the device IDS (a Cisco 4235), but is - it possible? Is there a way I can turn the power of 4235 on channel binding or Etherchannel?

  The last option, I think if the ideas above are not possible is to put in another switch and reflect the two ports from the tap water, but that doesn't look good for the final cost...

  Suggestions are most welcomed!

  Thank you

  Kian Wei

  Monitoring network taps with a Cisco IDS device is not officially supported by Cisco.

  That said, howewever, several customers have successfully deployed with taps.

  Faucets, as you've seen have 2 outputs.

  If tap is placed on the connection between computers A and B, one of the outputs will be for traffic from A to B, and the other will be for traffic from B to A.

  To analyze the tap water, the sensor will need to see the two outputs.

  You could do this by connecting the taps to a switch and then extending over 2 ports to the IDS sensor monitoring port.

  Or you may be able to use a second interface on the sensor itself.

  The IDS-4235 4250 IDS and IDS-4215 are able to be upgraded with a 4 ports 10/100 card, for a total of 5 ports to sniff.

  If the connection you type is a 10Mb or 100 MB connection, then purchase 4 port 10/100 for the sensor and the 2 tap on 2 of the ports of the NETWORK adapter card.

  NOTE: The sensor combine incoming packets on all interfaces and treat them as if they are part of the same network.

  You just need to place all interfaces in 'Group 0' and select 'non-stop' each sniffing interface.

  Here is the part number for the 4 ports 10/100 cards:

  ID-4FE-INT =

  Refer to the installation guide for more information on how to install the card and to configure the sensor:

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids10/hwguide/index.htm

  Now if you type is a 1 Gig copper or fiber optic connection then you will need to buy a switch to combine 2 outputs from the taps and extend towards the sensor sniffing port.

  Cisco currently offers no additional copper Gig cards.

  Cisco offers a map of fiber unique Gig for the IDS 4250 SX port but can't stand not place these cards in the sensor 2.

  Cisco also offers a dual port fiber Gig, known as the XL card. The XL card has hardware acceleration for the monitoring of the faster speeds. However, the XL card does not currently work with taps.

  So if followed by a 10/100 connection then try the 4 ports 10/100 card, but if touching a Gig connection, then you will need a switch to aggregate outputs 2.

  What some users have also done is to use the switch and do not worry with the faucet.

  They connect computer A to machine B to the switch and the switch. Then cover the traffic to the port of the sensor.

• Need for an IDS/IPS system for LAN users

  Hello

  I need to have an IDS/IPS for my users the in my network. We have 3xcisco 6509 to access with 4 level switch VLAN and am looking for a system to detect activities such as ports, IP scan analysis and... local network by desktop.

  Please advise me.

  Thank you

  Mike

  Hello

  VLAN span is good, no problems at all but I wouldn't recommend 100% to go to IPS mode instead of ID. Safer and more restrictive, way

  Concerning

• Supported VLAN ID-4250 or IDS-4250XL?

  Hello

  I was reviewing for the purchase of an IDS solution. One of the major concerns I have is the ability to monitor several local networks VIRTUAL (Interfaces) and flow.

  I was looking through the IDS-4250 and IDS-4250XL specifications. the XL version has an output more than 4250. What got me confused, is that the XL version takes only an additional interface (1000Base-SX) while the standard version gives you the ability to both 1000Base-SX and 4port FE.

  Now, my question is, is it possible on the 2 special devices to configure the interface of surveillance to monitor multiple VIRTUAL local networks (with the help of a trunk), if all them VLANS are connected on a Switch? Unfortunately buying an IDS module for 6500 is out of the question since no available 6500 switch is currently available.

  The IDS-4250-TX-K9 (aka IDS-4250) is the basic frame which can be added a single PCI card (IDS-XL-INT =, IDS-4250-SX-INT =, IDS-4FE-INT =).

  If the IDS-XL-INT = (aka card XL) is added to the IDS 4250 sensor would then become an IDS-4250-XL-K9 (aka IDS-4250-XL).

  NOTE: The ID-4250-XL is not a chassis separated from the base, it is the same ID-4250-TX-K9 with the IDS-XL-INT = already installed by manufacturing.

  The XL card has 2 interfaces Gig of fiber with MTRJ fiber optic in SX type connectors.

  Map XL adds hardware acceleration to 2 interfaces Gig fiber (increases performance of 1 GB of capacity of monitoring).

  However, there is a limitation which, with interfaces to fiber XL only 2 XL adapter card can be used for monitoring.

  If the ID-4250-SX-INT = (aka card SX) is added to the IDS 4250 sensor would then become an IDS-4250-SX-K9 (aka IDS-4250-SX).

  The SX card has a single fiber interface Gig with SC connector for the SX interface.

  With the IDS 4250 SX users can sniff both interface SX of the card as well as the interface of TX Gig sniff on Board standard, which gives a total of 2 interfaces to sniff.

  If the ID-4FE-INT = (aka 4FE card) is added to the IDS 4250 then it was not a name of created specific sensor (although I usually call a 4FE-4250-IDS)

  The 4FE card has a 10/100 4 TX interfaces

  With the IDS-4250 so that a map 4FE, that user can sniff the two interfaces TX 4 10/100 card as well as the interface of TX Gig sniff standard onboard which gives a total of 5 sniffing interfaces.

  NOTE: ONE of the 3 PCI cards can be placed in the ID-4250. The IDS 4250 has 2 PCI slots, BUT Cisco CAN'T stand that place a card in ONE of the 2 slots. If users cannot set 2 cards XL or 2 cards SX, or 2 cards 4FE, a mixture of 2 different types of cards. (This may change in a future release).

  If a breakdown quick of what I said:

  ID-4250-TX-K9:

  1 gig TX interface

  500 Mbps performance

  IDS-4250-TX-K9 + ID - 4FE - INT =:

  1 TX interface + 4 gig interfaces FE TX

  500 Mbps performance

  IDS-4250-TX-K9 ID - 4250 - SX - INT PLUS:

  (ID-4250-SX-K9)

  1 gig TX + 1 Gig SX interface (SC connector) interface

  500 Mbps performance

  IDS-4250-TX-K9 + IDS-XL-INT: =

  (ID-4250-XL-K9)

  2 interfaces gig SX with hardware acceleration (MTRJ connectors)

  1 Gbps performance

  NOTE: Performance is not a port, but it is rather total performance of the chassis when the combination to pronounce on all ports to sniff.

  As for the question on the circuits.

  ID software supports 802. 1 q trunk monitoring on ALL interfaces. You don't have to worry about buying a particular sensor for links model.

  You must determine your model of sensor (and additional PCI card) performance-based physical connection and sensor required:

  How to:

  On the switch itself hard code the port as a 802. 1 q trunk port and force the sheath to be turned on. (This must be hardcoded on the switch because there is no trading e-mail with the sensor).

  In the BONE of CAT on the 6500 switch, an example would be:

  define trunk 6/1 on dot1q

  Now set up the trunk single trunk port them VLAN you are interested the surveillance.

  In the BONE of CAT on the 6500 switch, an example would be:

  set of 6/1 master 1-100

  Disable the trunk 6/1 101-1005, 1025-4094

  Now, you need to use SPAN or capture VACL to send packets on the trunk port.

  In the BONE of CAT on the 6500 switch, an example would be:

  set of spans 1-100 6/1

  NOTE: Configure the port as a trunk port is not enough to get the packets sent to the sensor. You must always use SPAN or capture VACL on top of the trunk port to get the packages at the monitoring sensor.

  If you do not the 6500 then, of course, the controls on your switch may be different. And in some cases the above commands can be gathered in a single command on your switch so see your switch documentation' are.

• Nexus 5000 operating as a standalone FibreChannel Switch

  Hello world

  Does anyone know if the Nexus 5000 can be used as a standalone FibreChannel Switch? Which means I don't want to run NPV on this and connect it up to a MDS or a different type of switch FibreChannel. I'm looking to create a 'Pod' scenario. Where a few servers and a storage Bay would hang the 5K on a login F_Ports is local FLOGI DB and be able to use zoning and traffic went immediately from the 5K, etc etc? I know that 5 K is not a full blown fibre channel switch such that it has some limitations, but again I think to a "Pod" as scenario.

  If the script above won't work for some reason any using CF can achieve us with FCoE CNAs on servers & storage Bay?

  Finally, FC domain IDS how 5 K can cause?

  Sorry for the questions. I'm new to SAN switching at this stage.

  Thank you all!

  Yes, it works even FC code NX - OS like a switch MDS switch.

  You connect FC HBAS, ports SAN or FCoE CNAs to Nexus.

  However, you need to license storage.

  Nexus 5010 supports up to 8 4 G FC or FC G 6 8 ports with the expansion module

  Nexus 5020 supports up to 16 4 G FC or 12 8 G FC ports with the expansion module

  Nexus 5548UP supports up to ports FC 32 4 / 8G without the expansion module

  Nexus 5548UP supports up to 48 4 FC ports / 8G with the expansion module

  Nexus 5596UP supports up to 48 4 FC ports / 8G without the expansion module

  Nexus 5596UP supports up to 96 4 FC ports / 8G with the expansion module

• S49 signature update for 4.01 S37 IDS

  We ID 4210 and version 4.01 S37 and IDS - GIS - 4.0 - 2 - S46 updates, IDS - GIS - 4.0 - 2 - S47 are installed. Can I install S49 update to my ID?

  S49 cannot be applied to sensors 4.1 (1) you must first switch to 4.1 (1) with the following package:

  IDs-K9-min-4.1-1-S47.rpm.pkg

  Then, you can install the update of the Signature S49:

  ID - sig - 4.1 - 1 - S49.rpm.pkg

  Both are available at:

  http://www.Cisco.com/cgi-bin/tablebuild.pl/ids4

  The problem you're going to have, is that the 4.1 update package (1) requires that the memmory your ID-4210 is increased.

  If you SmartNET contract on your ID-4210 while you can use Cisco product upgrade tool to order the upgrade of memmory without extra charge.

  The 4.1 update (1) cannot be loaded on a 4210 IDS without the upgrade of memmory. If you cannot load S49 without upgrading memmory.

• Fact Compatible with WS-C6500-GDF WS - X 6381-IDS and Native IOS

  I found some puzzled info in the profile for WS - X 6381-IDS:

  Catalyst switch platform

  Requires the Version of operating system of Catalyst 6.1 (1) or (not supported in Cisco IOS® Software top native)

  Record of the characteristics of the policy (PFC) required for the VLAN ACL feature "capture."

  Supervisor 1A and supervisor 2 compatible engines

  Not compatible with crossbar switch fabric!

  The record is published in November 2002. But I can't config them toghter using "Cisco Configuration Tool", and I found more than 12.1 (8A) Native IOS EX already support this module.

  Another question: 6381 manged, "Cisco Secure Policy Manager"OR"Cisco Secure Intrusion detection Director", which is better?

  You refer to the data sheet is incorrect and should be updated.

  The WS - X 6381-IDS is supported in native IOS version 12.1 (8A) EX for Sup2/MSFC2 or later and 12.1 (11) E for Sup1a/MSFC2 if I remember correctly.

  The word "compatible" when they are referenced with the sustainable management of FORESTS has created some confusion. When a card says Cisco's fabric switch crossbar "compatible", it means that the card has additional hardware to connect to new tissue crossbar. The WS - X 6381-ID has no additional hardware to connect to the new fabric crossbar.

  There are several Cisco cards more old which are not 'compatible' crossbar. Much the 48-Port 10/100 line cards that sells some Cisco are not 'compatible' crossbar. All these old maps are called "classic" cards, which means they can only connect to the original 'classic' backplane.

  BUT these "classical" cards (including the WS - X 6381-ID is included), can work in a switch using the sustainable management of FORESTS and are fully supported by Cisco. That's why the WS - X 6381-ID is fully supported in a switch using sustainable management of FORESTS

  The FSM recognizes what cards are 'compatible' and which are 'classic '. If all cards are "compatible" it makes full use of the new fabric of crossbar and can run the switch to higher rates of performance 256Gbps.

  BUT if the SFM detects "compatible" cards and "classic" then run the new fabric of crossbar in what is called "truncated" mode GDF use of new tissue crosses through cards as much as possible when sending packages to the "compatible", but he is still able to send packets on the original backplance for cards 'classic' if necessary (as for the WS - X 6381-ID).

  In this "truncated" mode the sustainable management of FORESTS cannot perform the filling 256 Gbps switch, because he still has the use of basket 32Gbps original when sending packages to the "classic" card

  With regard to the credentials management tools. The Cisco Secure Policy Manager and the Cisco Secure Intrusion Detection Director for Unix are replaced by the latest management tools in SMV 2.1.

  VMS 2.1 is the management of security and VPN version 2.1 Solution. 2.1 machines virtual is a suite of different security management products for security than Cisco product (for example the Pix, VPN concentrator, and Cisco IDS sensors).

  VMS 2.1 contains the Management Center for IDS (IDS MC) which is used to configure the sensors and security (Sec MON) control center used to view IDS alarms.

  IDS MC and s LUN are web-based management tools.

  The tools are installed on a Windows 2000 Server and then can be accessed by multiple users through a standard web browser on their desktop computers.

  VMS 2.1 is part of the collection of works of Cisco products.

  VMS 2.1 was announced about 2 months ago.

  The IDS MC and s lun 2.1 VMS are recommended in the future ID management tools.

  NOTE: The ID MC and s LUN are originally designed for enterprise deployments. If you only have 3 sensors or less and do not want to spend the extra money for VMS 2.1 then you could use the IDM and VEI included with the sensor without any extra cost.

  IDM (Intrusion detection device manager) is a tool to configure basic web browser that is installed on the sensor itself and can be used to configure the single sensor.

  VEI (Intrusion detection observer of events) is program for alarm display based on windows and can receive a maximum of 3 sensors alarms.

  IDM and VEI are not as rich in features as the IDS MC and s Lun, but IDM and VEI are included with the sensor without any extra cost.

• CSPM is unable to talk to the IDS

  I have the following configuration on the IDS

  Sensor:

  IP address: 204.142.253.99

  Subnet mask: 255.255.255.0

  Default gateway: 204.142.253.254

  Host name: IDS

  Host ID: 99

  Host port: 45000

  Agency name: ECC

  Organization ID: 100

  -MORE-

  Director:

  IP address: 204.142.253.98

  Host name: CSPM

  Host ID: 98

  Host port: 45000

  Pace heart rate interval (seconds): 5

  Agency name: ECC

  Organization ID: 100

  A direct JOINT Telnet access: enabled

  Entries in the current list:

  [1] 204.142.253.98

  [2] 204.142.253.55

  [3] 204.142.253.55 0.0.0.0

  but I'm not able to telnet or ping 204.142.253.99 (IDS) of 204.142.253.98 (CSPM) or 204.142.253.55

  I'm not sure of the following:

  1. how to assign the host id?

  2. how to assign mask with IP addresses allowed to access IDS via telnet

  If you cannot ping the ID then it is usually because him vlan command and control was did not in place yet.

  (1) determine what vlan is used for the 204.142.253.0 network.

  (2) make sure that CSPM is connected to the switch through a port in the same vlan (either directly or through a hub or to another switch).

  (3) assign the port command and control of the METHOD to this vlan (this is the part that many people forget): value vlan vlan # mod #/ 2 example: define the vlan 100 5/2

  (4) verify that CSPM can ping both the default gateway 204.142.253.254 and the METHOD.

  (5) check that JOINT can ping CSPM both default Gatewate.

  With regard to your questions:

  Using the last octet of the ip address is generalist, expecially when all the machines are on the same network. If you deal with IDS sensors on several networks, you will need to come with your own convention. NOTE: The identifier of host in CSPM has been assigned during the installation of the CSPM. You must make sure that ID host used when installing CSPM is the same as the one you entries to CSPM for guests to be installed on the sensor.

  Masking used in the access list works exactly the opposite of a normal netmask. For example, with a class C, the network mask normal would be 255.255.255.0, but in the access list you must represent as 0.0.0.255. You say the sensor the bits are variables rather than what the bits are for the network.

  To allow your 204.142.243.0 any network you would use the 0.0.0.255 mask.