IPS VLAN group是IPS6.0之后才有的功能,其中VLAN Group杂合模式需要配置镜像时打上VLAN标签,在GNS默认不了,VLAN Group在线模式其实就是在线模式和VLAN Group的一个叠加,先配置在线接口对,接着在在线接口对上配置VLAN Group,告诉IPS上面跑了哪些VLAN,同时支持把不同的VLAN数据送到不同虚拟sensor上。
一.VLAN Group 杂合模式:
需要交换机做镜像时能够打上vlan标签,IPS可以设置多个虚拟sensor,每个sensor处理特定VLAN的流量。
二.VLAN Group 在线模式:
VLNA group在线模式,需要交换机连接IPS sersor口为trunk接口,并且在IPS上需要配置VLAN group接口对。
A.测试拓扑:
B.基本步骤:
①R1:
interface f0/0
ip add 10.1.1.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.253
②SW1:
vlan database
vlan 2
vlan 3
exit
interface f0/2
sw mo ac
sw ac vlan 2
interface f0/3
sw mo ac
sw ac vlan 3
interface f0/15
sw tr en dot1q
sw mode trunk
int vlan 2
ip add 10.1.1.253 255.255.255.0
int vlan 3
ip add 20.1.1.253 255.255.255.0
③R2:
interface f0/0
ip add 20.1.1.2 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 20.1.1.253
④R3:
interface f0/0
ip add 10.1.1.3 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.254
⑤SW2:
vlan database
vlan 2
vlan 3
exit
interface f0/2
sw mo ac
sw ac vlan 2
interface f0/3
sw mo ac
sw ac vlan 3
interface f0/15
sw tr en dot1q
sw mode trunk
int vlan 2
ip add 10.1.1.254 255.255.255.0
int vlan 3
ip add 20.1.1.254 255.255.255.0
⑥R4:
interface f0/0
ip add 20.1.1.4 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 20.1.1.254
C.IPS6配置:
①创建接口对:
②创建VLAN Groups:
③指派sensor:
④调整签名库:
⑤效果测试
R1#ping 10.1.1.3 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (1000/1000), round-trip min/avg/max = 1/21/316 ms
R1#
有如下告警:
evIdsAlert: eventId=1299862434698387899 vendor=Cisco severity=informational
originator:
hostId: sensor
appName: sensorApp
appInstanceId: 397
time: 2013年5月28日 下午01时05分04秒 offset=0 timeZone=UTC
signature: description=ICMP Echo Reply id=2000 version=S1 type=other created=20001127
subsigId: 0
marsCategory: Info/AllSession
interfaceGroup: vs0
vlan: 2
participants:
attacker:
addr: 10.1.1.3 locality=OUT
target:
addr: 10.1.1.1 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
riskRatingValue: 35 targetValueRating=medium attackRelevanceRating=relevant
threatRatingValue: 35
interface: ge0_1
protocol: icmp
R1#ping 20.1.1.4 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 20.1.1.4, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 12/25/112 ms
R1#
有如下告警:
evIdsAlert: eventId=1299862434698387966 vendor=Cisco severity=informational
originator:
hostId: sensor
appName: sensorApp
appInstanceId: 397
time: 2013年5月28日 下午01时06分37秒 offset=0 timeZone=UTC
signature: description=ICMP Echo Reply id=2000 version=S1 type=other created=20001127
subsigId: 0
marsCategory: Info/AllSession
interfaceGroup: vs0
vlan: 2
participants:
attacker:
addr: 20.1.1.4 locality=OUT
target:
addr: 10.1.1.1 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
riskRatingValue: 35 targetValueRating=medium attackRelevanceRating=relevant
threatRatingValue: 35
interface: ge0_1
protocol: icmp
本文转自 碧云天 51CTO博客,原文链接:http://blog.51cto.com/333234/892612,如需转载请自行联系原作者
