Chapter 16. Troubleshooting Cisco IDS Network Module (NM-CIDS)
Intrusion Prevention Systems (IPS) on routers come in two flavors: integrated IPS features, and external network modules called NM-CIDS. As the NM-CIDS uses the same code base as IPS Sensor, all the troubleshooting techniques pertaining to Sensor discussed in Chapter 14, "Troubleshooting Cisco Intrusion Prevention System," are applied here with some minor exceptions (for example, the inline feature of IPS that is supported on IPS Sensor is not supported on NM-CIDS). Hence, this chapter does not repeat the troubleshooting information on IPS operations that are performed on NM-CIDS. Instead the chapter focuses on configuration and troubleshooting of the Cisco IOS Router and NM-CIDS configuration issues. The chapter concludes with Best Practices specifically for NM-CIDS.
Overview of NM-CIDS on the Router
The IDS Network Module (NM-CIDS-K9) that may be installed in a Cisco 2600XM, 2691, 2800, 3660, or 3700 Series chassis can provide up to 45 MBps of full-featured intrusion protection services within the router. The NM-CIDS provides the ability to inspect all traffic traversing the router, to identify unauthorized or malicious activity such as hacker attacks, worms, or denial-of-service attacks, and to terminate this illegitimate traffic to suppress or contain threats. The NM-CIDS leverages the current Cisco IPS sensor technology to expand the IPS support into the branch office routers. Through collaboration with IPsec VPN and Generic Routing Encapsulation (GRE) traffic, this NM-CIDS can allow decryption, tunnel termination, and traffic inspection at the first point of entry into the networkan industry first. Only one NM-CIDS is supported in a given router, but it is not restricted to a specific NM-CIDS slot within the router. Figure 16-1 shows a typical NM-CIDS network setup.
Figure 16-1. NM-CIDS Network Setup
This section discusses the following items pertaining to NM-CIDS in details.
The sections that follow present details on these topics.
Software and Hardware Requirements
There are specific hardware and software requirements on the router to support NM-CIDS. You must be running one of the IOS versions to insert and use NM-CIDS:
- Cisco IOS software version 12.2(15)ZJ or later
- Cisco IOS software version 12.3(4)T or later
Note
You must be running IDS software version 4.1 or later on the NM-CIDS.
The few routers that support NM-CIDS are listed in Table 16-1.
Routers | NM-CIDS |
---|---|
Cisco 2600 series | No |
Cisco 2600XM series | Yes |
Cisco 2691 | Yes |
Cisco 3620 | No |
Cisco 3631 | No |
Cisco 3640, Cisco 3640A | No |
Cisco 3660 | Yes |
Cisco 3725 | Yes |
Cisco 3745 | Yes |
2811, 2821 2851, 3825, and 3845 | Yes |
Front Panel Indicator Lights and How to Use Them
The NM-IDS has a status indicator and a Shutdown button. Locating different indicators and understanding their meaning is necessary for troubleshooting the hardware and for operational issues. Table 16-2 summarizes the purpose of different indicators that are on the front panel of the NM-CIDS.
Indicators | Description |
---|---|
ACT | There is activity on the fast Ethernet connection. |
DISK | There is activity on the IDS hard drive. |
EN | NM-CIDS has passed a self-test and is available to the router. |
LINK | The Fast Ethernet connection is available to the NM-CIDS. |
PWR | Power is available to the NM-CIDS. |
Slot Assignment on the Router
The NM-CIDS can be inserted in any available slot on the router, if you have the supported hardware (router) and the IOS software version. Only one NM-CIDS is supported per chassis on the supported router.
Installing NM-CIDS Blade on the Router
You must install the NM-CIDS offline in Cisco 2650XM, 2651XM, and 2961 series routers. To avoid damaging the NM-CIDS, you must turn off electrical power and disconnect network cables before you insert the NM-CIDS into a chassis slot or remove the NM-CIDS from a chassis slot.
Cisco 3660 and Cisco 3700 series routers allow you to replace NM-CIDS without switching off the router or affecting the operation of other interfaces. Online insertion and removal (OIR) provides uninterrupted operation to network users, maintains routing information, and ensures session preservation.
Removing NM-CIDS Blade from the Router
The same rule for inserting the NM-CIDS into the router applies for removing the NM-CIDS. Additionally, you must shut down the NM-CIDS before removing it. This is because, unlike other network modules, the NM-CIDS uses a hard-disk drive. Online removal of hard-disk drives without proper shutdown can result in file system corruption and might render the hard-disk drive unusable. The operating system on the NM-CIDS must be shut down in an orderly fashion before it is removed. You can use service-module ids-sensor slot/0 shutdown command to shut the module down from the router.
Ports Supported on NM-CIDS
To understand the interfaces supported on the NM-CIDS, look at the high-level hardware architecture of NM-CIDS as depicted in Figure 16-2.
Figure 16-2. NM-CIDS Hardware Architecture
NM-CIDS uses three interfaces to perform the IDS/IPS functions of monitoring and Command and Control (see Figure 16-2) as follows:
- Command and Control port There is one external Fast Ethernet interface on the NM-CIDS that can be used as the Command and Control port. This interface can be connected to a switch, to a hub, or directly to a workstation with IPS management software (for example, IPS MC). As this port is used for blocking, if you want to apply blocking on the same router in which the NM-CIDS is seated, you must ensure that this interface has connectivity with the router. Remember that even though NM-CIDS is seated in the same router (as an external host), this external interface on the NM-CIDS is external to the router.
- Monitoring Interface An internal Fast Ethernet (FE) interface connects to the internal PCI bus on the router's backplane to provide monitoring capability. This internal FE interface provides a 100 Mbps full-duplex interface between the router and NM-CIDS. The IDS Network Module receives a copy of each packet that is to be inspected from the router's Peripheral Component Interconnect (PCI) bus to this internal Fast Ethernet interface. The packets are passed through the internal monitoring interface for classification and processing. The router-side interface for the internal Ethernet segment is known as "interface IDS-Sensor" in the Cisco IOS software. This is the only interface associated with the IPS that is visible in the output of the show interfaces command. The router-side internal interface is connected to the router PCI backplane. This interface is used for TCP reset.
- Console Port Unlike standard IDS or IPS Appliance, the NM-CIDS does not have an external console port. The internal Universal Asynchronous Receiver/Transmitter (UART) interface is used to provide the console access. Console access to the NM-CIDS is enabled when you issue a service-module IDS-sensor
/0 session command from the IOS command line interface (CLI), or when you initiate a Telnet connection as explained later in this document. The lack of an external console port means that the initial configuration of the Cisco IPS is possible only through the router.