ISR Built-in NIPS config
Step 1 Specify the location of the SDF—Various SDFs can exist in the Cisco IOS
device, but only one can be referenced.
! step 1 – define the location of the SDF
Router(config)#ip ips sdf ?
builtin Use the built in signature definition file
location Location of the signature definition file
Step 2 Configure the failure parameter—This tells the Cisco IOS device what
to do if the signature microengine (SME) is not available to scan the traffic.
! step 2 – define the behavior if an SME fails
Router(config)#ip ips fail ?
closed Do not forward traffic of the failed module.
Router(config)#ip ips fail closed
Step 3 Create an IPS rule—This creates a name that is later applied to an interface.
The rule uses the SDF previously defined. Optionally, an access control list
(ACL) can be applied to restrict which traffic is scanned.
! step 3 – create an IPS rule, and optionally apply an ACL
Router(config)#ip ips name ?
WORD Name of IPS rule
Router(config)#ip ips name testips ?
list Specify an access list to match
Router(config)#ip ips name testips list 123
Step 4 Apply the IPS rule to an interface—Once the rule has been created, it must
be applied to an interface to become operational.
! step 4 – apply the IPS rule to
Router(config)#interface fastethernet 0/0
Router(config-if)#ip ips testips ?
in Inbound IPS
out Outbound IPS
Router(config-if)#ip ips testips in
Router(config-if)#
Additional config
Комментариев нет:
Отправить комментарий