Configure IOS Intrusion Prevention System (IPS) using CLI

作者:admin发表时间:2010-9-12 评论:0 点击 5,916+

Instructor Version

Topology Diagram

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway
R1 FA0/0 N/A
S0/0/0 N/A
R2 S0/0/0 (DCE) N/A
S0/0/1 (DCE) N/A
R3 FA0/0 N/A
S0/0/0 N/A
Syslog Server NIC

Learning Objectives

Enable IOS IPS.

Configure logging.

Modify an IPS signature.

Verify IPS.


Your task is to configure router R1 for IPS in order to scan traffic entering the network.

The server labeled ‘Syslog Server’ is used to log IPS messages. You must configure the

router to identify the syslog server in order to receive logging messages. Displaying

the correct time and date in syslog messages is vital when using syslog to monitor the

network. Set the clock and configure timestamp service for logging on the routers.

Finally, enable IPS to produce an alert and drop ICMP echo reply packets inline.

The server and PCs have been preconfigured. The routers have also been preconfigured

with the following:

Enable password: ciscoenpa55

Console password: ciscoconpa55

VTY line password: ciscovtypa55


Task 1: Enable IOS IPS

Note: Within Packet Tracer, the routers already have the signature files imported and in

place. They are the default xml files in flash. For this reason, it is not necessary to

configure the public crypto key and complete a manual import of the signature files.

S tep 1. V erify netwo rk c o nnec tiv ity .

Ping from PC-C to PC-A. The ping should be successful.

Ping from PC-A to PC-C. The ping should be successful.

S tep 2. C rea te a n IO S IP S c o nfigu ra tio n dire c to r y in fla s h.

On R1, create a directory in flash using the mkdir command. Name the directory ipsdir.

R1#mkdir ipsdir

Create directory filename [ipsdir]? <Enter>

Created dir flash:ipsdir

S tep 3. C o nfigu re the IP S s igna tu re s to r a ge lo c a tio n.

On R1, configure the IPS signature storage location to be the directory you just


R1(config)#ip ips config location flash:ipsdir

S tep 4. C rea te a n IP S ru le.

On R1, create an IPS rule name using the ip ips name name command in global

configuration mode. Name the IPS rule iosips.

R1(config)# ip ips name iosips

S tep 5. E na ble lo gging.

IOS IPS supports the use of syslog to send event notification. Syslog notification is

enabled by default. If logging console is enabled, you see IPS syslog messages.

Enable syslog if it is not enabled.

R1(config)# ip ips notify log

Use the clock set command from privileged EXEC mode to reset the clock if necessary.

R1# clock set 01:20:00 6 january 2009

Verify that the timestamp service for logging is enabled on the router using the show

run command. Enable the timestamp service if it is not enabled.

R1(config)# service timestamps log datetime msec

Send log messages to the Syslog server at IP address

R1(config)# logging host

S tep 6. C o nfigu re IO S IP S to u s e the s igna tu re c a tego r ies .

Retire the all signature category with the retired true command (all signatures within

the signature release). Unretire the IOS_IPS Basic category with the retired false


R1(config)# ip ips signature-category R1(config-ips-category)# category all R1(config-

ips-category-action)# retired true R1(config-ips-category-action)# exit

R1(config-ips-category)# category ios_ips basic R1(config-ips-category-action)# retired

false R1(config-ips-category-action)# exit

R1(config-ips-cateogry)# exit

Do you want to accept these changes? [confirm] <Enter>

S tep 7. A pply the IP S ru le to a n interfa c e.

Apply the IPS rule to an interface with the ip ips name direction command in interface

configuration mode. Apply the rule outbound on the Fa0/0 interface of R1. After you

enable IPS, some log messages will be sent to the console line indicating that the IPS

engines are being initialized.

Note: The direction in means that IPS inspects only traffic going into the interface.

Similarly, out means only traffic going out the interface.

R1(config)# interface fa0/0

R1(config-if)# ip ips iosips out

Task 2: Modify the Signature

S tep 1. C ha nge the ev ent-a c tio n o f a s igna tu re .

Un-retire the echo request signature (signature 2004, subsig ID 0), enable it and change

the signature action to alert, and drop.

R1(config)# ip ips signature-definition

R1(config-sigdef)# signature 2004 0

R1(config-sigdef-sig)# status

R1(config-sigdef-sig-status)# retired false R1(config-sigdef-sig-status)# enabled true

R1(config-sigdef-sig-status)# exit

R1(config-sigdef-sig)# engine

R1(config-sigdef-sig-engine)# event-action produce-alert

R1(config-sigdef-sig-engine)# event-action deny-packet-inline

R1(config-sigdef-sig-engine)# exit

R1(config-sigdef-sig)# exit

R1(config-sigdef)# exit

Do you want to accept these changes? [confirm] <Enter>

S tep 2. U s e s ho w c o mma nds to v erify IP S .

Use the show ip ips all command to see an IPS configuration status summary. To which

interfaces and in which direction is the iosips rule applied? Fa 0/0 outbound.

S tep 3. V er ify tha t IP S is wo rk ing pro perly .

From PC-C, attempt to ping PC-A. Were the pings successful? Why or why not?

The pings should fail. This is because the IPS rule for event-action of an echo request

was set to “deny-packet- inline.

From PC-A, attempt to ping PC-C. Were the pings successful? Why or why not?

The ping should be successful. This is because the IPS rule does not cover echo reply.

When PC-A pings PC- C, PC-C responds with an echo reply.

S tep 4. V iew the S y s lo g mes s a ge s .

Click on the Syslog server. Select the Config tab. In the left navigation menu, select

SYSLOG to view the log file.

S tep 5. C hec k res u lts .

Your completion percentage should be 100%. Click Check Results to see feedback and

verification of which required components have been completed.

顶一下 0 踩一下 0


  1. Configure a Network for S...
  2. Configure and Verify a Si...
  3. Layer 2 VLAN Security
  4. Layer 2 Security
  5. Configuring Context-Based...
  6. Configure IP ACLs to Miti...
  7. Configure AAA Authenticat...
  8. Configure Cisco Routers f...



w_0002.gif w_0009.gif w_0007.gif w_0011.gif w_0005.gif w_0008.gif w_0010.gif w_0003.gif w_0012.gif w_0001.gif w_0006.gif