Thursday, April 29, 2010

IDSM-2 notes

Studying for the written right now. These are just some notes I made from various cisco docs.

IDSM vs IPS 4200:
-does not support virtualization with inline vlan groups
-does not support sub-dividing inline interfaces or vlan groups
-syncs clock with switch (or use NTP)
-two sensing interfaces
-must have a native vlan
-no console
-has a maintenance partition

FEATURES
-promiscuous: passively monitors traffic copied to data port(s)
-inline mode (5.0): each data port is an access port, ids bridges
-inline VLAN mode w/ (5.1): bridges between vlans on same port/trunk
-you can mix promiscuous mode with inline VLAN pair
-same code as IPS 4200

INTERFACES:
-Port 1: TCP resets (used in promiscuous mode)
-Port 2: command and control
-Ports 7,8: sensing (can be configured as a inline pair)

CAPTURING:
-SPAN
-VACL

INITIALIZING:
-login with session command
-user/pass: cisco/cisco
-setup command (session x)
-reset

SWITCH CONFIGURATION:
-intrusion-detection module x management-port access-vlan xx
-gateway should be that vlan on the switch
-monitor session 1 source interface g2/23 both
-monitor session 1 destination intrusion-detection-module 9 data-port 1
-intrusion-detection-module 9 data-port 1 autostate include
-intrusion-detection-module 9 data-port 1 portfast
-autostate allows SVI to stay up when data port is only port in VLAN

VACL CAPTURE:
-ip access-list standard ACLNAME, etc
-vlan access-map VACLNAME
match ip address ACLNAME
action forward capture
-vlan filter VACLNAME vlan-list XXX-XXX
-intrusion-detection-module X data-port X capture allowed-vlan XXX-XXX

MLS IP IDS:
-used when ports are routed ports
-ip access-lists standard ACLNAME
-mls ip ids ACLNAME

INLINE MODE:
-intrusion-detection-module 13 data-port 1 access-vlan 661
-intrusion-detection-module 13 data-port 2 access-vlan 662

INLINE VLAN PAIR:
-intrusion-detection-module 13 data-port 2 trunk allowed-vlan 661,662

ECLB:
-intrusion-detection-module 13 data-port 1 channel-group 3
-intrusion-detection-module 13 data-port 2 channel-group 3
-intrusion-detection-module port-channel 3 capture

ADMIN TASKS:
-hw-module module 9 reset mem-test-full
-reset 9 hdd:1 | cf:1
-upgrade
Posted by at No comments:
Labels: , ,
Subscribe to: Comments (Atom)