Skills Tested
Basic initialization of the Cisco Intrusion Prevention Sensor (IPS) appliance and verification of the management interface
An understanding of the different deployment modes available on the sensor, and how to configure sensor interfaces and attached switch ports to provide connectivity
The role of virtual sensors under the service analysis engine Solution and Verification
This exercise focused on the fundamentals of initializing and deploying the Cisco IPS appliance.
Although these are basic tasks, any misconfiguration on the sensor or connected switch ports could result in traffic flows being disrupted as packets are black holed.
An important tool to verify whether packets are flowing through the sensor interfaces is the packet
display interface command on the sensor console.
For all verification syntax that follows:
Required output appears in red Task 1: Initialize the Cisco IPS
Verify connectivity to the sensor via the Management0/0 interface from SW1. Recall that the
username/password is ciscoips/123cisco123. If the access list is correctly applied, Telnet will be allowed only from VLAN101 (192.168.2.0/24) on SW1:
Click here to view code image
SW1# telnet 192.168.2.100 Trying 192.168.2.100 ... Open
login: ciscoips Password:
***NOTICE***
This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and
users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to [email protected].
***LICENSE NOTICE***
The license key on the IPS-4240 has expired.
The system will continue to operate with the currently installed signature set. A valid license must be obtained in order to apply signature updates. Please go to http://www.cisco.com/go/license to obtain a new license or install a license.
ips#
Access list will not permit Telnet from any other subnet.
Click here to view code image
SW1# telnet 192.168.2.100 /source-interface vlan102 Trying 192.168.2.100 ...
Verification of the sensor mode configurations can be done by checking modes and status in the
interface summary. Note that the management interface is not being used to sense traffic:
Click here to view code image
IPS# show interfaces brief
Task 2: Deploy the Cisco IPS Sensor in Inline VLAN Pair Mode
Verification of the Inline VLAN pair should show that Gig0/2 is up and sensing:
Click here to view code image
IPS# show interfaces brief
Drilling down into the GigabitEthernet0/2 interface will verify the VLAN assignment for the Inline VLAN Pair:
Click here to view code image
IPS# show interfaces gigabitEthernet0/2 MAC statistics from interface GigabitEthernet0/2
Statistics From Subinterface 1 Statistics From Vlan 50 Task 3: Deploy the Cisco IPS Sensor in Inline Interface Pair Mode
Verification of the Inline Interface pair should show Gig0/0 and Gig0/1 paired and enabled:
Click here to view code image
IPS# show interfaces brief
CC Interface Sensing State Link Inline Mode Pair Status
GigabitEthernet0/0 Enabled Up Paired with interface GigabitEthernet0/1 Up
* Management0/0 Disabled Up
GigabitEthernet0/1 Enabled Up Paired with interface GigabitEthernet0/0 Up GigabitEthernet0/2 Enabled Up Inline-vlan-pair N/A
GigabitEthernet0/3 Enabled Up Unpaired
Task 4: Deploy the Cisco IPS Sensor in Promiscuous Mode
Verification of the promiscuous mode interface should show Gig0/3 in a sensing state. When an interface is configured in promiscuous mode, the virtual sensor is associated with the physical interface operating as an IDS.
Click here to view code image
IPS# show interfaces brief
Verification of traffic flows through the sensor’s inline (IPS) modes can be performed by pinging between major subnets in the topology.
Test connectivity across the Inline Interface Pair and the Inline VLAN Pair as follows:
Click here to view code image
R6# ping 192.168.2.5 Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms R6# ping 10.50.40.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.50.40.7, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Verification of the sensor as an IDS (using promiscuous mode) will require traffic to be mirrored to interface GigabitEthernet0/3. In Q4.1, SPAN will be configured on SW2 to validate the IDS
configuration.
Configuration IPS
Click here to view code image
physical-interfaces GigabitEthernet0/0
admin-state enabled
---service analysis-engine
Click here to view code image
interface GigabitEthernet1/0/16
switchport trunk encapsulation dot1q switchport trunk allowed vlan 50,70 switchport mode trunk
!
interface GigabitEthernet1/0/17 switchport access vlan 10 switchport mode access SW1
Click here to view code image
interface GigabitEthernet1/0/15 switchport access vlan 101 switchport mode access
!
interface GigabitEthernet1/0/16 switchport access vlan 60 switchport mode access
!
interface GigabitEthernet1/0/17 switchport access vlan 80 switchport mode access Tech Notes
The packet display command is a useful tool when you are verifying whether the sensor is seeing traffic on its interfaces as expected. In the preceding verification, pings are used to validate whether traffic can pass through the sensor. Without visual verification on the sensor, it is possible that the sensor itself, or the switch ports to which it is connected, are misconfigured such that traffic is not actually passing through the sensor at all, even though traffic is flowing in the network.
If ping commands are issued with packet display for each interface enabled, you should see the ping
activity displayed on the IPS console.
Click here to view code image
R6# ping 192.168.2.5 Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
The following is the output of the packet display command on the IPS sensor console:
Click here to view code image
02:07:43.923416 IP 10.50.80.6 > 192.168.2.5: ICMP echo request, id 29, seq 0, length 80 02:07:43.925547 IP 192.168.2.5 > 10.50.80.6: ICMP echo reply, id 29, seq 0, length 80 02:07:43.925909 IP 10.50.80.6 > 192.168.2.5: ICMP echo request, id 29, seq 1, length 80 02:07:43.926734 IP 192.168.2.5 > 10.50.80.6: ICMP echo reply, id 29, seq 1, length 80 02:07:43.927107 IP 10.50.80.6 > 192.168.2.5: ICMP echo request, id 29, seq 2, length 80 02:07:43.927831 IP 192.168.2.5 > 10.50.80.6: ICMP echo reply, id 29, seq 2, length 80