Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1654
Views
0
Helpful
5
Replies

IPS-NME-K9 is not processing any packets

Go to solution
alex.dersch
Level 4
Level 4

‎02-17-2011 11:49 AM - edited ‎03-10-2019 05:16 AM

Hello Members,

i have an IPS-NME-K9 module in my router installed but it seems that it does not receive any packets from the router. here is the config for the IDS-Sensor Interface and the Interface from which I'd like to send traffic to the sensor.

interface GigabitEthernet0/0
description CONNECTION TO MPLS BACKBONE
no ip address
duplex full
speed 100
no cdp enable
!
!
interface GigabitEthernet0/0.100
description CONNECTION TO VRF VRF100
encapsulation dot1Q 100
ip vrf forwarding VRF100
ip address 172.16.2.14 255.255.255.248
ids-service-module monitoring inline access-list 100
no cdp enable
!
interface GigabitEthernet0/0.103
description CONNECTION TO VRF200
encapsulation dot1Q 103
ip vrf forwarding VRF200
ip address 172.16.11.6 255.255.255.248
ip flow ingress
ip flow egress
ids-service-module monitoring inline access-list 100

access-list 100 permit ip any any

and here is the statistic from the module.

# show statistics virtual-sensor
Virtual Sensor Statistics
   Statistics for Virtual Sensor vs0
      Name of current Signature-Defintion instance = sig0
      Name of current Event-Action-Rules instance = rules0
      List of interfaces monitored by this virtual sensor = GigabitEthernet0/1 subinterface 0
      General Statistics for this Virtual Sensor
         Number of seconds since a reset of the statistics = 10137
         MemoryAlloPercent = 51
         MemoryUsedPercent = 49
         MemoryMaxCapacity = 614400
         MemoryMaxHighUsed = 432128
         MemoryCurrentAllo = 317667
         MemoryCurrentUsed = 302192
         Processing Load Percentage = 1
         Total packets processed since reset = 0
         Total IP packets processed since reset = 0
         Total IPv4 packets processed since reset = 0
         Total IPv6 packets processed since reset = 0
         Total IPv6 AH packets processed since reset = 0
         Total IPv6 ESP packets processed since reset = 0
         Total IPv6 Fragment packets processed since reset = 0
         Total IPv6 Routing Header packets processed since reset = 0
         Total IPv6 ICMP packets processed since reset = 0
         Total packets that were not IP processed since reset = 0
         Total TCP packets processed since reset = 0
         Total UDP packets processed since reset = 0
         Total ICMP packets processed since reset = 0
         Total packets that were not TCP, UDP, or ICMP processed since reset = 0
         Total ARP packets processed since reset = 0
         Total ISL encapsulated packets processed since reset = 0
         Total 802.1q encapsulated packets processed since reset = 0
         Total packets with bad IP checksums processed since reset = 0
         Total packets with bad layer 4 checksums processed since reset = 0
         Total number of bytes processed since reset = 0
         The rate of packets per second since reset = 0
         The rate of bytes per second since reset = 0
         The average bytes per packet since reset = 0

thanks for your feedback

alex

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Stijn Vanveerdeghem
Level 1
Level 1
In response to alex.dersch

‎02-22-2011 02:56 PM

Hi Alex,

As Matthew mentioned previously, for the NME module, the access list defines what traffic will NOT be inspected.

If you want the NME to inspect all traffic, you should change the access-list to DENY all traffic.

So, change it into "access-list 100 deny ip any any" in order to inspect all traffic.

Thanks,

Stijn

View solution in original post

0 Helpful
5 Replies 5

Go to solution
mwinnett
Level 3
Level 3

‎02-22-2011 02:22 PM

I can't locate the config guide, but I'm fairly certain that the acl describes the traffic that will

NOT be forwarded to the module (daft but true). The "permit ip any any" is steering all traffic

away from the module.

Matthew

0 Helpful

Go to solution
mwinnett
Level 3
Level 3
In response to mwinnett

‎02-22-2011 02:25 PM

http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliAIM.html#wp1044942

Step 4 (Optional) Configure a monitoring access list on the router:

router(config)# access-list 101 permit tcp any eq www any

You can set up a standard access list and apply it to filter what type of traffic you want to inspect. A matched ACL causes traffic not to be inspected for that ACL. This example bypasses inspection of HTTP traffic only. Refer to your Cisco IOS Command Reference for more information on the options for the access-list command.

Matthew

0 Helpful

Go to solution
alex.dersch
Level 4
Level 4
In response to mwinnett

‎02-22-2011 02:30 PM

Hi Matthew,

i have the access-list

access-list 100 permit ip any any

and i can see the hits on the acl. I believe it has something to do with the VRF's i have configured on the router.

regards

alex

0 Helpful

Go to solution
Stijn Vanveerdeghem
Level 1
Level 1
In response to alex.dersch

‎02-22-2011 02:56 PM

Hi Alex,

As Matthew mentioned previously, for the NME module, the access list defines what traffic will NOT be inspected.

If you want the NME to inspect all traffic, you should change the access-list to DENY all traffic.

So, change it into "access-list 100 deny ip any any" in order to inspect all traffic.

Thanks,

Stijn

0 Helpful

Go to solution
alex.dersch
Level 4
Level 4
In response to Stijn Vanveerdeghem

‎02-22-2011 03:09 PM

Cool, thanks Stijn

i should better read next time

regards

alex

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card