Cisco IDS IPS AIP IDSM-2 configuration Guides


Introduction To Cisco IPS Config Guide

This document is designed to assist in getting your Cisco IPS appliances off the ground. It includes an easy to use configuration and advice on how to achive the optimum performance out of your Cisco IPS appliance

The document bellow is meant to be used with some caution where specified and if at any time you feel you may be lost in too much technical detail you can always contact us to assist you in your endavours.




1.1.      Cisco IDS Cisco IPS cisco AIP cisco IDSM configuration example
1.2.      Cisco IDSM Background mode of operation and traffic flow
1.3.      IDSM2 Configuration Sequence
1.4.      Cisco IDSM configuration example Switch Side
1.5.      Cisco IDSM configuration example IDSM side
1.6.      Managing the IDSM1
1.7.      Initial Setup
1.8.      Default gateway setup
1.9.      IDSM and AIP Failover configuration notes
1.10.        Cisco AIP module Configuration example
1.11.        Operating Modes
1.12.        Configuration sequence Cisco ASA
1.13.        login to the AIP module device via ssh or session from the Cisco ASA..
1.14.        Cisco IPS 42xx Configuration Example
1.15.        Traffic flow
1.16.        Configuration sequence Cisco IPS 4200 model
1.17.        System Configuration Dialog
1.18.        Gui Configuration common for all the IPS ,IDSM ,AIP models
1.19.        System Basic settings
1.20.        Promiscuous mode configuration
1.21.        IPS signature Updates and Automatic updates signature update URL
1.22.        Cisco IPS Manager Express IME
1.23.        Upgrade procedure


Cisco IDS Cisco IPS cisco AIP cisco IDSM configuration example


The Cisco IPS systems no matter what shape or size have 1 thing in common they filter traffic out using a signature sets and traffic normalization features.The bellow sections will explain the way to get the IPS system off the ground by configuring its basic parameters like ip address network mask default gatways and trusted host parameters.Once thats out of the way all these IPS systems are configured easier by the GUI interface than the CLI .I have provided a configuration example at the end of the section describing these configuration parameters.

Cisco IDSM Background mode of operation and traffic flow


The Cisco IDSM supports the following traffic throughputs :
Aggregate Throughput promiscuous mode : 600 Mbps
Aggregate Throughput inline mode : 500 Mbps


For more info on the IDSM-2 please visit this page from cisco contatining a data sheet of the IDSM-2 device.
The Cisco IDSM inspects traffic flow passing through the backplane of the Cat 6509 and it’s configured to examine that traffic using the special filters and global alert categories settings. The device scans and reacts to network traffic according to the filter instructions, or action set. Each segment and device can use a different set of filters to manage and block traffic and malicious activity in order to provide optimal protection. The IDSM device can function in two primary modes promiscuous and inline.
Promiscuous mode means it just looks at a copy of the traffic flow and does not insert or block any of the traffic flow whilst the Inline mode is totally the opposite it inspects the actual traffic flow for the specified vlans assigned to it from the switch backplane. The bellow diagram explains the traffic flow in the Cisco IDSM-2


Action sets in these filters provide the instructions for the device to block, permit, and send alerts to the system. Filters include three pillars of filter categories:

  • Application Protection
  • Infrastructure Protection
  • Performance Protection



IDSM2 Configuration Sequence


Perform the following tasks to configure the IDSM2:
1. Description: the Catalyst 6500 series switch for command and control access to the IDSM2.
2. Description: in to the IDSM2.
3. Description: the switch to send traffic to be monitored to the IDSM2.
4. Description: the IDSM2.
Run the setup command to initialize the IDSM2. During setup, you can configure the interfaces of the IDSM2.
5. Description: the service account.
6. Description: the other initial tasks, such as adding users, trusted hosts, and so forth.
7. Description: intrusion prevention.
8. Description: miscellaneous tasks to keep the IDSM2 running smoothly.
9. Description: the IPS software with new signature updates and service packs.
10. Description: the application partition and the maintenance partition when needed.


Cisco IDSM configuration example Switch Side



Firstly you need to insert the IDSM- 2 blade into the Cat 6509 switch and wait for it to boot. In order to verify if the installation of the IDSM-2 is correct into the Cisco CAT 6509 switch issue the below command.

For Cisco IOS software:
router# show module
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
3 Anomaly Detector Module WS-SVC-ADM-1-K9 SAD084104JR
4 4 Intrusion Detection System WS-SVC-IDSM2 SAD05380608

As mentioned previously you need to divert the traffic on the CAT 6509 switch in order to send traffic to the module .The bellow example shows a promiscuous IDSM-2 switch side configuration.
intrusion-detection module 4 management-port access-vlan 201
intrusion-detection module 4 data-port 1 capture
intrusion-detection module 4 data-port 2 capture
intrusion-detection module 4 data-port 1 capture allowed-vlan 202
intrusion-detection module 4 data-port 2 capture allowed-vlan 202
intrusion-detection module 4 data-port 1 autostate include
intrusion-detection module 4 data-port 2 autostate include
vlan access-map IDSM2 10
match ip address 1 IDSM2-LIST
action forward capture
ip access-list extended IDSM2-LIST
permit ip any any log
permit icmp any any

vlan filter IDSM2 vlan-list  202
monitor session 2 source vlan 202


Cisco IDSM configuration example IDSM side


Once that switch side configuration is completed you can login to the IDSM-2 Module from the CAT 6509 switch using the bellow command
Session 1 slot 4
TEST-IPS01# sh ver
Application Partition:
Cisco Intrusion Prevention System, Version 7.0(1)E3
Realm Keys            key1.0                               
Signature Definition:                                           
Signature Update      S440.0                   2009-10-02  
Virus Update          V1.4                     2007-03-02  
OS Version:               2.4.30-IDS-smp-bigphys               
Platform:                 WS-SVC-IDSM-2                         
Serial Number:            xxxxxx                          
Trial license, expires:   14-Nov-2009 UTC                      
Sensor up-time is 11 days.
Using 1406742528 out of 1983508480 bytes of available memory (70% usage)
system is using 16.5M out of 38.5M bytes of available disk space (43% usage)
application-data is using 37.7M out of 166.8M bytes of available disk space (24% usage)
boot is using 40.6M out of 68.6M bytes of available disk space (62% usage)

MainApp            B-BEAU_2009_APR_18_08_00_7_0_1   (Release)   2009-04-18T08:05:25-0500   Running  
AnalysisEngine     B-BEAU_2009_APR_18_08_00_7_0_1   (Release)   2009-04-18T08:05:25-0500   Running  
CollaborationApp   B-BEAU_2009_APR_18_08_00_7_0_1   (Release)   2009-04-18T08:05:25-0500   Running  



Managing the IDSM2



The management address of the appliance is configured by the bellow commands and only a host setup in the acces list can access the management gui in order to mnage the device .The device can be accessed using https://ip address you configured in setup .


Initial Setup


service host
host-name test
telnet-option disabled
offset 0
standard-time-zone-name GMT+02:00


Default gateway setup


is necessary in order for the device to be managed from a different subnet or for signature updates originating from the IDSM


IDSM and AIP Failover configuration notes


The IDSM pairs are configured in an Active Standby Failover configuration .Due to the nature of the traffic flow the Primary core switch is always being used. Thus the primary IDSM module always receives the traffic. In case of a chassis failure or FWSM failure that traffic flow will be diverted to the secondary FWSM and IDSM units. The secondary IDSM has been configured with the exact same configuration as the primary but it will be idling until a failover case occurs


Cisco AIP module Configuration example


Data sheet ,Throughput and more specific support options can be found on Cisco’s Web Site over here


Operating Modes


You can send traffic to the AIP SSM using one of the following modes:

Description: mode—This mode places the AIP SSM directly in the traffic flow No traffic that you identified for IPS inspection can continue through the adaptive security appliance without first passing through, and being inspected by, the AIP SSM. This mode is the most secure because every packet that you identify for inspection is analyzed before being allowed through. Also, the AIP SSM can implement a blocking policy on a packet-by-packet basis. This mode, however, can affect throughput.



Description: mode—This mode sends a duplicate stream of traffic to the AIP SSM. This mode is less secure, but has little impact on traffic throughput. Unlike the inline mode, in promiscuous mode the AIP SSM can only block traffic by instructing the adaptive security appliance to shun the traffic or by resetting a connection on the adaptive security appliance. Also, while the AIP SSM is analyzing the traffic, a small amount of traffic might pass through the adaptive security appliance before the AIP SSM can shun it. Below figure shows the AIP SSM in promiscuous mode. In this example, the AIP SSM sends a shun message to the security appliance for traffic it identified as a threat.


Configuration sequence Cisco ASA


Prerequisites:  Configured the Cisco ASA is configured and an AIP module is inserted in it
Then on the Cisco ASA you need to divert the traffic as show on the bellow output.

access-list IPS extended permit ip any any
class-map my-ips-class
match access-list IPS
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny 
inspect sunrpc
inspect xdmcp
inspect sip 
inspect netbios
inspect tftp
class my-ips-class
!for ips promiscuous mode use bellow
ips promiscuous fail-open
!for ips inline mode use bellow but not both as same time
  ips inline fail-open


login to the AIP module device via ssh or session from the Cisco ASA


hostname# session 1

Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL-^X'.

login: cisco


Last login: Fri Sep 2 06:21:20


you may also use SSH connection or Https connection to the ip address configured.


Cisco IPS 42xx Configuration Example  


Traffic flow


The recommended Traffic Flow is almost always inline mode as this is the most optimum setting for the IPS device 
Traffic flow will thus be situated so it can physically intercept all the traffic from the relevant segments that needs to be protected.


Configuration sequence Cisco IPS 4200 model


Log in to the appliance:
Connect a console port to the sensor using the bellow parameters on your PC


login: cisco
Please go to
to obtain a new license or install a license.
my recommendation would be to do an initial basic setup configuration and then continue with the configuartin via the GUI interface
you can do that by issuing SETUP command and follow the configuration prompts


System Configuration Dialog


When you enter the setup command, an interactive dialog called the System Configuration Dialog appears on the system console screen. The System Configuration Dialog guides you through the configuration process.
The values shown in brackets next to each prompt are the current values. You must go through the entire System Configuration Dialog until you come to the option that you want to change. To accept default settings for items that you do not want to change, press Enter To return to the EXEC prompt without making changes and without going through the entire System Configuration Dialog, press Ctrl-C. The System Configuration Dialog also provides help text for each prompt. To access the help text, enter? at a prompt. When you complete your changes, the System Configuration Dialog shows you the configuration that you created during the setup session. It also asks you if you want to use this configuration. If you enteryes, the configuration is saved. If you enter no, the configuration is not saved and the process begins again. There is no default for this prompt; you must enter either yes or no.


Example System Configuration Dialog
--- System Configuration Dialog ---
At any point you may enter a question mark '?' for help.
User ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
Current Configuration:
service host
host-name sensor
telnet-option disabled
ftp-timeout 300
np login-banner-text
offset 0
standard-time-zone-name UTC
summertime-option disabled
ntp-option disabled
service web-server
port 443
service interface
physical-interfaces FastEthernet0/0
admin-state enabled
subinterface-type inline-vlan-pair
subinterface 1
description Created via setup by user asmith
vlan1 200
vlan2 300
physical-interfaces FastEthernet0/1
admin-state enabled
physical-interfaces FastEthernet0/2
admin-state enabled
physical-interfaces GigabitEthernet0/0
admin-state enabled
inline-interfaces newPair
description Created via setup by user asmith
interface1 FastEthernet0/1
interface2 FastEthernet0/2
service analysis-engine
virtual-sensor newVs
description Created via setup by user cisco
signature-definition newSig
event-action-rules rules0
anomaly-detection-name ad0
operational-mode inactive
physical-interface GigabitEthernet0/0
virtual-sensor vs0
physical-interface FastEthernet0/0 subinterface-number 1
logical-interface newPair


Gui Configuration common for all the IPS ,IDSM ,AIP models


Firstly you need to login to the device using https://ip-address-of-the-device





System Basic settings






Promiscuous mode configuration








IPS signature Updates and Automatic updates signature update URL


NB you need to install a Cisco Licence go to the specified page and you can request a Cisco IPs signature updates trial licence if you possess a valid CCO and have the serial number of the device .However this is a temporary measure and you need to purchase a valid subscription from Cisco in order for the IPS to be able fetch automatic updates from the Cisco Network
Once the contract has been purchased you may use the bellow url in order for you to update these signature



Cisco IPS Manager Express IME


Simplify Cisco Intrusion Prevention System (IPS) sensor management with a user-friendly application. Ideal for small or simple deployments, Cisco IPS Manager Express provides:

To get a free assessment on how to optimize your current Cisco IPS solution contact us here