Previous Page
Next Page

Overview of NM-CIDS on the Router

The IDS Network Module (NM-CIDS-K9) that may be installed in a Cisco 2600XM, 2691, 2800, 3660, or 3700 Series chassis can provide up to 45 MBps of full-featured intrusion protection services within the router. The NM-CIDS provides the ability to inspect all traffic traversing the router, to identify unauthorized or malicious activity such as hacker attacks, worms, or denial-of-service attacks, and to terminate this illegitimate traffic to suppress or contain threats. The NM-CIDS leverages the current Cisco IPS sensor technology to expand the IPS support into the branch office routers. Through collaboration with IPsec VPN and Generic Routing Encapsulation (GRE) traffic, this NM-CIDS can allow decryption, tunnel termination, and traffic inspection at the first point of entry into the networkan industry first. Only one NM-CIDS is supported in a given router, but it is not restricted to a specific NM-CIDS slot within the router. Figure 16-1 shows a typical NM-CIDS network setup.

Figure 16-1. NM-CIDS Network Setup


This section discusses the following items pertaining to NM-CIDS in details.

The sections that follow present details on these topics.

Software and Hardware Requirements

There are specific hardware and software requirements on the router to support NM-CIDS. You must be running one of the IOS versions to insert and use NM-CIDS:

  • Cisco IOS software version 12.2(15)ZJ or later

  • Cisco IOS software version 12.3(4)T or later

Note

You must be running IDS software version 4.1 or later on the NM-CIDS.


The few routers that support NM-CIDS are listed in Table 16-1.

Table 16-1. List of Supported/Unsupported Hardware Platforms (Routers)

Routers

NM-CIDS

Cisco 2600 series

No

Cisco 2600XM series

Yes

Cisco 2691

Yes

Cisco 3620

No

Cisco 3631

No

Cisco 3640, Cisco 3640A

No

Cisco 3660

Yes

Cisco 3725

Yes

Cisco 3745

Yes

2811, 2821 2851, 3825, and 3845

Yes


Front Panel Indicator Lights and How to Use Them

The NM-IDS has a status indicator and a Shutdown button. Locating different indicators and understanding their meaning is necessary for troubleshooting the hardware and for operational issues. Table 16-2 summarizes the purpose of different indicators that are on the front panel of the NM-CIDS.

Table 16-2. NM-IDS States as Indicated by the Status Indicator

Indicators

Description

ACT

There is activity on the fast Ethernet connection.

DISK

There is activity on the IDS hard drive.

EN

NM-CIDS has passed a self-test and is available to the router.

LINK

The Fast Ethernet connection is available to the NM-CIDS.

PWR

Power is available to the NM-CIDS.


Slot Assignment on the Router

The NM-CIDS can be inserted in any available slot on the router, if you have the supported hardware (router) and the IOS software version. Only one NM-CIDS is supported per chassis on the supported router.

Installing NM-CIDS Blade on the Router

You must install the NM-CIDS offline in Cisco 2650XM, 2651XM, and 2961 series routers. To avoid damaging the NM-CIDS, you must turn off electrical power and disconnect network cables before you insert the NM-CIDS into a chassis slot or remove the NM-CIDS from a chassis slot.

Cisco 3660 and Cisco 3700 series routers allow you to replace NM-CIDS without switching off the router or affecting the operation of other interfaces. Online insertion and removal (OIR) provides uninterrupted operation to network users, maintains routing information, and ensures session preservation.

Removing NM-CIDS Blade from the Router

The same rule for inserting the NM-CIDS into the router applies for removing the NM-CIDS. Additionally, you must shut down the NM-CIDS before removing it. This is because, unlike other network modules, the NM-CIDS uses a hard-disk drive. Online removal of hard-disk drives without proper shutdown can result in file system corruption and might render the hard-disk drive unusable. The operating system on the NM-CIDS must be shut down in an orderly fashion before it is removed. You can use service-module ids-sensor slot/0 shutdown command to shut the module down from the router.

Ports Supported on NM-CIDS

To understand the interfaces supported on the NM-CIDS, look at the high-level hardware architecture of NM-CIDS as depicted in Figure 16-2.

Figure 16-2. NM-CIDS Hardware Architecture


NM-CIDS uses three interfaces to perform the IDS/IPS functions of monitoring and Command and Control (see Figure 16-2) as follows:

  • Command and Control port There is one external Fast Ethernet interface on the NM-CIDS that can be used as the Command and Control port. This interface can be connected to a switch, to a hub, or directly to a workstation with IPS management software (for example, IPS MC). As this port is used for blocking, if you want to apply blocking on the same router in which the NM-CIDS is seated, you must ensure that this interface has connectivity with the router. Remember that even though NM-CIDS is seated in the same router (as an external host), this external interface on the NM-CIDS is external to the router.

  • Monitoring Interface An internal Fast Ethernet (FE) interface connects to the internal PCI bus on the router's backplane to provide monitoring capability. This internal FE interface provides a 100 Mbps full-duplex interface between the router and NM-CIDS. The IDS Network Module receives a copy of each packet that is to be inspected from the router's Peripheral Component Interconnect (PCI) bus to this internal Fast Ethernet interface. The packets are passed through the internal monitoring interface for classification and processing. The router-side interface for the internal Ethernet segment is known as "interface IDS-Sensor" in the Cisco IOS software. This is the only interface associated with the IPS that is visible in the output of the show interfaces command. The router-side internal interface is connected to the router PCI backplane. This interface is used for TCP reset.

  • Console Port Unlike standard IDS or IPS Appliance, the NM-CIDS does not have an external console port. The internal Universal Asynchronous Receiver/Transmitter (UART) interface is used to provide the console access. Console access to the NM-CIDS is enabled when you issue a service-module IDS-sensor <slot>/0 session command from the IOS command line interface (CLI), or when you initiate a Telnet connection as explained later in this document. The lack of an external console port means that the initial configuration of the Cisco IPS is possible only through the router.


Previous Page
Next Page