fir3net
PPS-Firenetbanner-780.5x190-30-03-17

Configuring the Cisco IDS Router / Switch Modules

IDSM-2

The IDSM-2 Module is a Cisco IDS blade for the Cisco 6500 switch.
Once you install the module into the switch the module uses following logical ports :

Port 1 Used for TCP Resets (In Promiscuous Mode)
Port 2 Command and Control
Port 7 Sensing Port
Port 8 Sensing Port

Below details the steps required for configuring your switch / module for an inline setup. This includes obtaining the module number for the cisco ids running the setup wizard and then assigning the required ports for on the switch for ids sensing within an inline configuration. The clear trunk commands are required as by default the switch assigns the ports as trunk ports to every vlan.

switch > (enable) show module
switch > (enable) session [module]
isdm-2# setup
switch > (enable) set vlan 50 5/7
switch > (enable) set vlan 51 5/8
switch > (enable) clear trunk 5/7 1-49, 51-4094
switch > (enable) clear trunk 5/7 1-50, 51-4094

NM-CIDS

The NM-CIDS is the IDS module for Cisco Routers.The config below allows you to assign an ip address to the sensor which will only we accessible via a route or via a reverse telnet from the router itself. This a security measure to ensure that your IDS modules IP address isn't fully accessible.

router (config) # interface loopback 0
router (config-if) # ip address 1.1.1.1 255.255.255.255
router (config-if) # exit
router (config) # interface ids-sensor 1/0
router (config-if) # ip unnumbered lo 0
router (config-if) # exit
router (config) # ip cef

Under each interface use the following command to initiate the packet monitoring

router (config-if) # ids-service-module monitor

Access the NM-CIDS Console

router # service-module ids-sensor x/y session

or

router # telnet [router ip] [port number - port number =  (32 * port number) + 2001]

An exampe in our case for the the telnet option would be using the syntax "telnet 1.1.1.1 2033"

Maintenance Commands

router # service-module ids-sensor x/y ...
reload
reset
session
shutdown
status

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001