Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IP Audit commands

Status
Not open for further replies.
mic3man

mic3man

Technical User
Dec 5, 2002
7
0
0
US
Hello to all,

I just purchased a 1720,ISDN BRI, ver 12.1, that I'm redeploying into one of my customers networks. I cleared the config and put in what was needed to get them up and running but when i did a sh run i still got an " ip audit po max-events 100" in my running config. I "think" I've tried everything to clear this but no such luck. Any suggestions is greatly appreciated. Thanks.

 
Sort by date Sort by votes
I think you'll find that command is just a default one as part
of the IOS.

As long as you don't have IP Auditting enabled, (and aren't seeing an audit trail in your log, or on a term mon) you should
be fine just to leave it.
 
Upvote 0 Downvote
cool, thanks!!!! I guess I just needed to hear it from somebody else.
 
Upvote 0 Downvote
mic3man,

The statement you're seeing is indicative of a your 1720 w/IOS ver. 12.1 running an IOS Firewall Intrustion Detection System (IDS) platform. With IDS enabled, your router is basically telling the network that I am an IDS Sensor, I want to communicate to the IDS Director using the PostOffice protcol, and the size of my alarm queue is 100 alarms (default). Running IDS on a router is a thrifty (some say cheap) way of adding IDS protection without purcha$ing a Ci$co 4210 or 4230. If your are indeed an IDS Sensor and you have a CSPM, then there is nothing to worry about. However, if you are not a sensor "TURN THIS OFF." This can be done with the global command "no ip audit po max-events." A 1720 is not a very robust router. IDS on a router eats up memory (32k per alarm) and gobbles up CPU cycles inspecting each packet for various anomolies and intrusive signatures. IDS used in conjunction with access lists, normal routing, debugging, and various QoS perameters can very quickly bring a router to its knees. Hope this helps.
 
Upvote 0 Downvote
I did a global no ip audit po max-events, saved it, and it still showed up when doing a sh run. We tried everything we could think of to get it off of the running config but it would not die(i.e. cockroaches, Keith Richards). So back to my original question was if there was anything special or other suggestion of what was needed to be done to have that removed or disabled. Any other suggestions? Thanks!!!!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

atascoman
  • Locked
  • Question
3750 to 3850 QoS commands
Replies
1
Views
66
ADB100
ADB100
Delta5
  • Locked
  • Question
Cisco setting for automatic ip arp cache refresh
Replies
3
Views
153
iggsterman
iggsterman
acabezas2014
  • Locked
  • Question
Create ACL for ip range
Replies
2
Views
57
acabezas2014
acabezas2014
JDCre63
  • Locked
  • Question
SIP sets behind CISCO firewall connecting to public IP
Replies
1
Views
53
nyy1023
nyy1023
rfpup
  • Locked
  • Question
logging commands in ACS
Replies
2
Views
41
rfpup
rfpup

Part and Inventory Search

Sponsor

Back
Top