« always greener... | Main | world party »

IOS IPS 5.x with 128MB of RAM

Since IOS 12.4(11)T (and hence it's also the long-awaited 12.4(15)T), Cisco are using the version 5.x format for IPS signature files. There's some documentation about it here:

If your router (eg. an 877) only has 128MB of RAM, be careful when you configure this! Whereas before you had 128MB.sdf and 256MB.sdf IPS files to choose from, now there's just the one (called something like IOS-S292-CLI.pkg). Most importantly, when you configure the ip ips signature-category sections, make sure you only use the basic set of ios_ips signatures! If you try using anything else (eg. categeory ios_ips or category ios_ips advanced) your router will quite probably run out of memory while compiling the signatures. Here's a starter config that works for me:

ip ips config location flash:/ips/
ip ips signature-category
  category all
   retired true
  category ios_ips basic
   retired false

...and then go forth and define IPS names and apply 'em to interfaces. Categories that are "retired" don't get compiled, which is why you need to do this before you do the copy somewhere:/IOS-S292-CLI.pkg idconf. By default, they only cause alarms, so you'll probably want to look into applying event-action to either individual signatures or the whole category.

On my 128MB 877 configured like this, about 55MB is in use once it's up and running. Meanwhile, another 877 with 256MB of RAM using the category ios_ips set of signatures (ie, without basic) ends up using about 160MB of RAM. Ouch.

(update: there's a bit more info in the Cisco IOS IPS Deployment Guide, too.)

* 15:09 * geek · comments (0)

Comments


Post a comment


Leave a comment