Cisco IPS/IDS

ISR Built-in NIPS config

Step 1 Specify the location of the SDF—Various SDFs can exist in the Cisco IOS

device, but only one can be referenced.

! step 1 – define the location of the SDF

Router(config)#ip ips sdf ?

builtin Use the built in signature definition file

location Location of the signature definition file

Step 2 Configure the failure parameter—This tells the Cisco IOS device what

to do if the signature microengine (SME) is not available to scan the traffic.

! step 2 – define the behavior if an SME fails

Router(config)#ip ips fail ?

closed Do not forward traffic of the failed module.

Router(config)#ip ips fail closed

Step 3 Create an IPS rule—This creates a name that is later applied to an interface.

The rule uses the SDF previously defined. Optionally, an access control list

(ACL) can be applied to restrict which traffic is scanned.

! step 3 – create an IPS rule, and optionally apply an ACL

Router(config)#ip ips name ?

WORD Name of IPS rule

Router(config)#ip ips name testips ?

list Specify an access list to match

Router(config)#ip ips name testips list 123

Step 4 Apply the IPS rule to an interface—Once the rule has been created, it must

be applied to an interface to become operational.

! step 4 – apply the IPS rule to

Router(config)#interface fastethernet 0/0

Router(config-if)#ip ips testips ?

in Inbound IPS

out Outbound IPS

Router(config-if)#ip ips testips in

Router(config-if)#

Additional config

VPN Statefull

IPsec stateful failover uses two protocols for proper and continual operation: 

■ HSRP—Monitors both the inside and outside interfaces. If either goes down, the entire router 

is deemed unworthy and ownership of the IKE and IPsec SA processes is passed to the 

standby router. When this transition occurs, the standby router becomes the active HSRP 

router.

■ Stateful Switchover (SSO)—Shares the IKE and IPsec SA information between the active 

and backup routers. At any time, either router knows enough to be the active IPsec VPN 

router.

There are some limitations/restrictions: 

■ Both the active and standby devices must run an identical Cisco IOS release.

■ The active and standby devices must be connected via LAN ports, either directly or through 

a switch. WAN interfaces are not supported.

■ Both the inside and outside interfaces must be connected via LAN ports.

■ Only “box-to-box” failover is supported. Intrachassis (card-to-card) failover is not currently 

supported.

■ Load balancing is not supported. Only one device in a redundancy group can be active at any 

time.

■ IKE keepalive messages are not supported. DPD and periodic DPD are supported.

■ Stateful failover of Layer 2 Tunneling Protocol (L2TP) is not supported.

■ IPsec idle timers are not supported.

Router C:

crypto dynamic-map from-remote 10

 set transform-set trans1

 reverse-route

!

crypto map central-office 10 ipsec-isakmp dynamic from-remote

!

interface fastethernet 1/0

 ip address 172.20.1.1 255.255.255.0

 standby 1 ip 172.20.1.5

 standby 1 priority 150

 standby 1 preempt

 standby 1 name vpn-remote

 crypto map central-office redundancy vpn-remote stateful

!

redundancy inter-device

 scheme standby vpn-remote

!

ipc zone default

 association 1

 protocol sctp

  local-port 12321

 local-ip 10.20.1.1

 retransmit-timeout 300 10000

 path-retransmit 10

 assoc-retransmit 20

  remote-port 12321

 remote-ip 10.20.1.2

MPLS VPN Overview

RD - Route Distiguisher - определяет принадлежность роутов к vrf instatnce. 64-bit value

RT - Route Target - позволяет нескольким клиентам с разными RD взаимодействовать. Можно определить какие роуты будут импортироваться или экспортироваться в зону с другим RD