1.测试拓扑:
2.基本配置:
R1:
R1#vlan database
R1(vlan)#vlan 30
VLAN 30 added:
Name: VLAN0030
R1(vlan)#vlan 40
VLAN 40 added:
Name: VLAN0040
R1(vlan)#exit
R1(config)#int f0/5
R1(config-if)#switchport mode access
R1(config-if)#switchport access vlan 40
R1(config)#int range fastEthernet 0/14 - 15
R1(config-if-range)#switchport mode trunk
R2:
R2#vlan database
R2(vlan)#vlan 30
VLAN 30 added:
Name: VLAN0030
R2(vlan)#vlan 40
VLAN 40 added:
Name: VLAN0040
R2(vlan)#exit
R2(config)#int f0/3
R2(config-if)#sw mode acc
R2(config-if)#sw acc vlan 30
R2(config-if)#int f0/4
R2(config-if)#sw mo acc
R2(config-if)#sw acc vlan 40
R2(config-if)#int f0/15
R2(config-if)#sw mode trunk
R3:
R3(config)#int f1/0
R3(config-if)#ip add 10.1.1.3 255.255.255.0
R3(config-if)#no sh
R4:
R4(config)#int f1/0
R4(config-if)#ip add 10.1.1.4 255.255.255.0
R4(config-if)#no sh
R5:
R5(config)#int f1/0
R5(config-if)#ip add 10.1.1.5 255.255.255.0
R5(config-if)#no sh
R5#ping 10.1.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.4, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 20/34/72 ms
3.IPS配置:
A.激活监控接口:
B.创建VLAN Pair:
C.接口指派sensor:
4.效果测试:
A.R3能ping不同VLAN的R4、R5
R3#ping 10.1.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.4, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 20/85/216 ms
R3#ping 10.1.1.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 24/45/92 ms
B.大量的ping操作会触发IPS事件:
R3#ping 10.1.1.4 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 10.1.1.4, timeout is 2 seconds:
!.!!!!!.!!!!!.!!!!!.!!!!!.!!!!!.!!!!!.!!!!!.!!!!!.!!!!!.!!!!!.!!!!!.!!
!!!.!!!!!.!!!!!.!!!!!.!!!!!.!!
Success rate is 83 percent (83/100), round-trip min/avg/max = 12/57/416 ms
R3#
evIdsAlert: eventId=1185793501059155071 vendor=Cisco severity=informational
originator:
hostId: ips4215
appName: sensorApp
appInstanceId: 340
time: 2012年8月18日 下午05时07分35秒 offset=0 timeZone=UTC
signature: description=ICMP Echo Request id=2004 version=S1
subsigId: 0
interfaceGroup:
vlan: 30
participants:
attacker:
addr: 10.1.1.3 locality=OUT
target:
addr: 10.1.1.4 locality=OUT
actions:
deniedAttackerServicePair: true
riskRatingValue: 25
interface: ge0_1
protocol: icmp
evIdsAlert: eventId=1185793501059155072 vendor=Cisco severity=informational
originator:
hostId: ips4215
appName: sensorApp
appInstanceId: 340
time: 2012年8月18日 下午05时07分37秒 offset=0 timeZone=UTC
signature: description=ICMP Echo Reply id=2000 version=S1
subsigId: 0
interfaceGroup:
vlan: 40
participants:
attacker:
addr: 10.1.1.4 locality=OUT
target:
addr: 10.1.1.3 locality=OUT
riskRatingValue: 25
interface: ge0_1
protocol: icmp
本文转自 碧云天 51CTO博客,原文链接:http://blog.51cto.com/333234/966467,如需转载请自行联系原作者
