1.拓扑图:
参考: http://blog.sina.com.cn/s/blog_52ddfea30100haof.html
通过google搜索, https://supportforums.cisco.com/thread/2033247,sensor接口的MAC地址,可以用service帐号登录IPS,ifconfig -a获得,如下图所示:
2.基本配置:
R1:
interface FastEthernet0/0
ip address 10.1.13.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.13.3
R2:
interface FastEthernet0/0
ip address 10.1.23.2 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.23.3
R3:
interface FastEthernet0/0
ip address 10.1.13.3 255.255.255.0
no shut
interface FastEthernet0/1
ip address 10.1.23.3 255.255.255.0
no shut
3.路由器IP Traffic Export简单配置:
①创建流量导出配置文件:
ip traffic-export profile test
interface FastEthernet1/0
mac-address 000c.2920.d8d5 <这是IDS的MAC,一定是直连或者同一VLAN>
-------mac为接收流量的IPS的sensor接口的mac,可以通过service帐号登录IPS运行ifconfig -a命令获得。
②在需要导出流量的接口应用配置文件:
interface FastEthernet0/0
ip traffic-export apply test
4.IPS的配置:
A.确认g0/1接口已经enabled 
B.将g0/1关联到virtual sensor:
C.大量的ping可以在IPS上看到事件:
R1#ping 10.1.23.2 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 10.1.23.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 4/47/172 ms
R1#
evIdsAlert: eventId=1185793501059155079 vendor=Cisco severity=informational
originator:
hostId: ips4215
appName: sensorApp
appInstanceId: 340
time: 2012年8月19日 上午09时57分50秒 offset=0 timeZone=UTC
signature: description=ICMP Echo Request id=2004 version=S1
subsigId: 0
interfaceGroup:
vlan: 0
participants:
attacker:
addr: 10.1.13.1 locality=OUT
target:
addr: 10.1.23.2 locality=OUT
actions:
denyAttackerServicePairRequestedNotPerformed: true
riskRatingValue: 25
interface: ge0_1
protocol: icmp
evIdsAlert: eventId=1185793501059155080 vendor=Cisco severity=medium
originator:
hostId: ips4215
appName: sensorApp
appInstanceId: 340
time: 2012年8月19日 上午09时57分51秒 offset=0 timeZone=UTC
signature: description=ICMP Flood id=2152 version=S1
subsigId: 0
interfaceGroup:
vlan: 0
participants:
attacker:
addr: 10.1.13.1 locality=OUT
target:
addr: 10.1.23.2 locality=OUT
riskRatingValue: 75
interface: ge0_1
protocol: icmp
4.路由器IP Traffic Export其他配置:
A.导出双向流量:
ip traffic-export profile test
interface FastEthernet1/0
bidirectional
mac-address 000c.2920.d8d5
B.流量过滤:
ip traffic-export profile test
interface FastEthernet1/0
bidirectional
incoming access-list incoming.acl
outgoing access-list outgoing.acl
mac-address 000c.2920.d8d5
B.流量采样:
ip traffic-export profile test
interface FastEthernet1/0
bidirectional
incoming access-list incoming.acl
outgoing access-list outgoing.acl
mac-address 000c.2920.d8d5
incoming sample one-in-every 2
outgoing sample one-in-every 3
本文转自 碧云天 51CTO博客,原文链接:http://blog.51cto.com/333234/966991,如需转载请自行联系原作者
