Wednesday, 12 June 2024

What is MST multiple spanning tree IEEE 801s? What is the MSTP regions? What is MST instance? How to configure MSTP and tune or modify?

 IEEE 802.1s Multiple spanning tree (MST), sometimes referred to as multiple STP (MSTP). MST allows us to create Multiple spanning trees inside a single network. Each spanning tree is called an instance and this instance has its own root bridge, forwarding topology. An instance can be mapped with one or more VLANs. For example:

  • VLANs 10,20 and 30 are mapped in instance 1
  • VLANs 40,50 and 60 are mapped in instance 2

Now VLANs 10,20 and 30 follow different paths on the same physical network and VLANs 40,50 and 60 follow different paths and have different root bridges and forwarding paths.

multiple spanning tree is not like RPVST or PVST+ where each VLAN requires a separate instance. Let's take an example of PVST+ when we have 50 VLANs configured this means there are 50 instances of spanning tree running and this consumes a lot of CPU and memory. MST needs only one set of STP messages for each MST instance.  MST is the solution where we can map different VLANs to one or more instances as per the requirement.

 

An MST region is a group of switches that together use MST in a consistent way. They run the same number of MST instances and map the same sets of VLANs onto these instances, among other things. The switches in the MST region must have the same configuration parameters as follows:

 

  • Region name: means the name of that particular region or group of MST switches.
  • Revision number: means the number indicates the version of the configuration
  • VLAN to Instance map: means a table of assignments for each VLAN to an instance

The switch outside the MST region will not see the MST region for outside the region switch, it looks like it's communicating to a big switch.

 

Multiple spanning tree (MST) instance

MST instance is a logical entity that defines a one-spanning tree for multiple VLANs, instance name is 32 bytes. MST instance number is in the range of 0 – 4095 but the different switch platforms support different numbers of range for example catalyst 2950 has the range of 0 – 15 and catalyst 3560 has the range of 0 – 4094. Now the important thing is out of the MST instance there is a special instance called instance 0 and this is also called the internal spanning tree (IST). Instance 0 or IST is default already exists. Instance 0 is the only instance that interacts with outside MST region switches and provides a loop-free environment to the region.  

Configuring MST requires pre-planning because it is necessary to decide where their MST boundaries shall be placed and where the regions shall be placed.  

MST allows us to tune the root bridge for instance modify costs and make primary or secondary.

 Now let's see the configuration:

Topology:


Goal:

  • configure the trunk with nonnegotiable between switches ethernet 0/0-1
  • configure VTP domain MSTP and version 2 for sync VLAN information
  • configure switch 1 and switch 3 VTP server and the rest of the switch clients
  • configure VLANs 10,20,30,40,50,60 on any VTP server
  • configure Multiple spanning tree on all the switches 
  • configure VLAN 10,20, and 30 in MST 1 instance 
  • configure VLAN 40,50 and 60 in MST 2 instance
  • configure region name MSTP and revision number 1
  • by default our switch 1 is the root bridge for all the VLANs
  • configure tunning for instance 1 means the VLAN 10,20,30 root bridge will be switch 1 and for instance, 2 switch 3 will be the root bridge. 
Switch-1-(config)#interface range ethernet 0/0 - 1
Switch-1-(config-if-range)#switchport
Switch-1-(config-if-range)#switchport trunk encapsulation dot1q
Switch-1-(config-if-range)#switchport mode trunk
Switch-1-(config-if-range)#switchport nonegotiate
Switch-1-(config-if-range)#exit

*Jun 12 10:05:37.389: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
*Jun 12 10:05:37.404: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up

Switch-2-(config)#interface range ethernet 0/0 - 1
Switch-2-(config-if-range)#switchport
Switch-2-(config-if-range)#switchport trunk encapsulation dot1q
Switch-2-(config-if-range)#switchpot mode trunk
Switch-2-(config-if-range)#switchport nonegotiate
Switch-2-(config-if-range)#exit

*Jun 12 10:07:56.489: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
*Jun 12 10:07:56.521: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up

Switch-3-(config)#interface range ethernet 0/0 - 1
Switch-3-(config-if-range)#switchport
Switch-3-(config-if-range)#switchport trunk encapsulation dot1q
Switch-3-(config-if-range)#switchport mode trunk
Switch-3-(config-if-range)#switchport nonegotiate
Switch-3-(config-if-range)#exit

*Jun 12 10:13:46.936: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
*Jun 12 10:13:46.951: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up

Switch-4-(config)#interface range ethernet 0/0 - 1
Switch-4-(config-if-range)#switchport
Switch-4-(config-if-range)#switchport trunk encapsulation dot1q
Switch-4-(config-if-range)#switchport mode trunk
Switch-4-(config-if-range)#switch nonegotiate
Switch-4-(config-if-range)#exit
Switch-4-(config)#end
*Jun 12 10:16:12.123: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
*Jun 12 10:16:12.139: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up

Switch-1-(config)#vtp domain MSTP
Switch-1-(config)#vtp version 2
Switch-1-(config)#vtp mode server
Switch-1-(config)#exit

Switch-1-#show vtp status
VTP Version capable             : 1 to 3
VTP version running             : 2
VTP Domain Name                 : MSTP
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : aabb.cc00.0100
Configuration last modified by 0.0.0.0 at 6-12-24 10:40:51
Local updater ID is 0.0.0.0 (no valid interface found)

Feature VLAN:
--------------
VTP Operating Mode                : Server
Maximum VLANs supported locally   : 1005
Number of existing VLANs          : 5
Configuration Revision            : 1
MD5 digest                        : 0x25 0xBA 0x4E 0x29 0x64 0xC6 0x11 0x76
                                    0xD4 0x1E 0xC2 0x6B 0x69 0xEB 0x26 0x7A


Switch-2-(config)#vtp domain MSTP
Switch-2-(config)#vtp version 2
Switch-2-(config)#vtp mode client
Switch-2-(config)#exit



Switch-3-(config)#vtp domain MSTP
Switch-3-(config)#vtp version 2
Switch-3-(config)#vtp mode client
Switch-3-(config)#exit

Switch-3-#show vtp status
VTP Version capable             : 1 to 3
VTP version running             : 2
VTP Domain Name                 : MSTP
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : aabb.cc00.0300
Configuration last modified by 0.0.0.0 at 6-12-24 10:40:51

Feature VLAN:
--------------
VTP Operating Mode                : Client
Maximum VLANs supported locally   : 1005
Number of existing VLANs          : 5
Configuration Revision            : 1
MD5 digest                        : 0x25 0xBA 0x4E 0x29 0x64 0xC6 0x11 0x76
                                    0xD4 0x1E 0xC2 0x6B 0x69 0xEB 0x26 0x7A


Switch-4-(config)#vtp domain MSTP
Switch-4-(config)#vtp version 2
Switch-4-(config)#vtp mode client
Switch-4-(config)#exit


Switch-1-(config)#vlan 10
Switch-1-(config-vlan)#exit
Switch-1-(config)#vlan 20
Switch-1-(config-vlan)#exit
Switch-1-(config)#vlan 30
Switch-1-(config-vlan)#exit
Switch-1-(config)#vlan 40
Switch-1-(config-vlan)#exit
Switch-1-(config)#vlan 50
Switch-1-(config-vlan)#exit
Switch-1-(config)#vlan 60
Switch-1-(config-vlan)#exit

Switch-2-#show vlan
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active
10   VLAN0010                         active
20   VLAN0020                         active
30   VLAN0030                         active
40   VLAN0040                         active
50   VLAN0050                         active
60   VLAN0060                         active

Switch-3-#show vlan
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active
10   VLAN0010                         active
20   VLAN0020                         active
30   VLAN0030                         active
40   VLAN0040                         active
50   VLAN0050                         active
60   VLAN0060                         active

(as you can see by default switch 1 is the root for all VLANs)

Switch-1-#show spanning-tree

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     aabb.cc00.0100
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     aabb.cc00.0100
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0               Desg BKN*100       128.1    Shr *PVID_Inc
Et0/1               Desg BKN*100       128.2    Shr *PVID_Inc



Switch-1-(config)#spanning-tree mode mst
Switch-1-(config)#spanning-tree mst configuration
Switch-1-(config-mst)#revision 1
Switch-1-(config-mst)#name MSTP
Switch-1-(config-mst)#instance 1 vlan 10,20,30
Switch-1-(config-mst)#instance 2 vlan 40,50,60
Switch-1-(config-mst)#exit


Switch-1-#show spanning-tree mst configuration
Name      [MSTP]
Revision  1     Instances configured 3

Instance  Vlans mapped
--------  ---------------------------------------------------------------------
0         1-9,11-19,21-29,31-39,41-49,51-59,61-4094
1         10,20,30
2         40,50,60
-------------------------------------------------------------------------------





Switch-1-#show spanning-tree mst

##### MST0    vlans mapped:   1-9,11-19,21-29,31-39,41-49,51-59,61-4094
Bridge        address aabb.cc00.0100  priority      32768 (32768 sysid 0)
Root          this switch for the CIST
Operational   hello time 2 , forward delay 15, max age 20, txholdcount 6
Configured    hello time 2 , forward delay 15, max age 20, max hops    20

Interface                        Role Sts Cost      Prio.Nbr Type
----------------                 ---- --- --------- -------- --------------------------------
Et0/0                            Desg FWD 2000000   128.1    Shr
Et0/1                            Desg FWD 2000000   128.2    Shr

##### MST1    vlans mapped:   10,20,30
Bridge        address aabb.cc00.0100  priority      32769 (32768 sysid 1)
Root          this switch for MST1

Interface                        Role Sts Cost      Prio.Nbr Type
----------------                 ---- --- --------- -------- --------------------------------
Et0/0                            Desg FWD 2000000   128.1    Shr
Et0/1                            Desg FWD 2000000   128.2    Shr

##### MST2    vlans mapped:   40,50,60
Bridge        address aabb.cc00.0100  priority      32770 (32768 sysid 2)
Root          this switch for MST2

Interface                        Role Sts Cost      Prio.Nbr Type
----------------                 ---- --- --------- -------- --------------------------------
Et0/0                            Desg FWD 2000000   128.1    Shr
Et0/1                            Desg FWD 2000000   128.2    Shr


Switch-2-(config)#spanning-tree mode mst
Switch-2-(config)#spanning-tree mst configuration
Switch-2-(config-mst)#revision 1
Switch-2-(config-mst)#name MSTP
Switch-2-(config-mst)#instance 1 vlan 10,20,30
Switch-2-(config-mst)#instance 2 vlan 40,50,60
Switch-2-(config-mst)#exit

Switch-3-(config)#spanning-tree mode mst
Switch-3-(config)#spanning-tree mst configuration
Switch-3-(config-mst)#revision 1
Switch-3-(config-mst)#name MSTP
Switch-3-(config-mst)#instance 1 vlan 10,20,30
Switch-3-(config-mst)#instance 2 vlan 40,50,60
Switch-3-(config-mst)#exit

Switch-4-(config)#spanning-tree mode mst
Switch-4-(config)#spanning-tree mst configuration
Switch-4-(config-mst)#revision 1
Switch-4-(config-mst)#name MSTP
Switch-4-(config-mst)#instance 1 vlan 10,20,30
Switch-4-(config-mst)#instance 2 vlan 40,50,60
Switch-4-(config-mst)#exit

Switch-1-#show spanning-tree mst 1

##### MST1    vlans mapped:   10,20,30
Bridge        address aabb.cc00.0100  priority      32769 (32768 sysid 1)
Root          this switch for MST1

Interface                        Role Sts Cost      Prio.Nbr Type
----------------                 ---- --- --------- -------- --------------------------------
Et0/0                            Desg FWD 2000000   128.1    Shr
Et0/1                            Desg FWD 2000000   128.2    Shr

Switch-1-#
Switch-1-#
Switch-1-#show spanning-tree mst 2

##### MST2    vlans mapped:   40,50,60
Bridge        address aabb.cc00.0100  priority      32770 (32768 sysid 2)
Root          this switch for MST2

Interface                        Role Sts Cost      Prio.Nbr Type
----------------                 ---- --- --------- -------- --------------------------------
Et0/0                            Desg FWD 2000000   128.1    Shr
Et0/1                            Desg FWD 2000000   128.2    Shr


Switch-1-(config)#spanning-tree mst 1 root primary
Switch-1-(config)#spanning-tree mst 2 root secondary
Switch-1-(config)#exit


Switch-1-#show spanning-tree mst 1

##### MST1    vlans mapped:   10,20,30
Bridge        address aabb.cc00.0100  priority      24577 (24576 sysid 1)
Root          this switch for MST1
Interface                        Role Sts Cost      Prio.Nbr Type
----------------                 ---- --- --------- -------- --------------------------------
Et0/0                            Desg FWD 2000000   128.1    Shr
Et0/1                            Desg FWD 2000000   128.2    Shr

Switch-1-#show spanning-tree mst 2
##### MST2    vlans mapped:   40,50,60
Bridge        address aabb.cc00.0100  priority      28674 (28672 sysid 2)
Root          address aabb.cc00.0300  priority      2     (0 sysid 2)
            port    Et0/0           cost      4000000              rem hops 18
Interface                        Role Sts Cost      Prio.Nbr Type
----------------                 ---- --- --------- -------- --------------------------------
Et0/0                            Root FWD 2000000   128.1    Shr
Et0/1                            Altn BLK 2000000   128.2    Shr

(as you can see the above outcome switch 1 is the root bridge for MST instance 1 but not for MST instance 2)

Switch-3-(config)#spanning-tree mst 2 root primary
Switch-3-(config)#spanning-tree mst 1 root secondary



Switch-3-#show spanning-tree mst 2

##### MST2    vlans mapped:   40,50,60
Bridge        address aabb.cc00.0300  priority      2     (0 sysid 2)
Root          this switch for MST2

Interface                        Role Sts Cost      Prio.Nbr Type
----------------                 ---- --- --------- -------- --------------------------------
Et0/0                            Desg FWD 2000000   128.1    Shr
Et0/1                            Desg FWD 2000000   128.2    Shr

Switch-3-#show spanning-tree mst 1

##### MST1    vlans mapped:   10,20,30
Bridge        address aabb.cc00.0300  priority      28673 (28672 sysid 1)
Root          address aabb.cc00.0100  priority      24577 (24576 sysid 1)
            port    Et0/1           cost      4000000              rem hops 18

Interface                        Role Sts Cost      Prio.Nbr Type
----------------                 ---- --- --------- -------- --------------------------------
Et0/0                            Altn BLK 2000000   128.1    Shr
Et0/1                            Root FWD 2000000   128.2    Shr

(as you can see switch 3 is the root bridge for MST instance 2 but not for 1)

if you like this blog please visit to our YouTube channel https://www.youtube.com/@internetworkss

Tuesday, 11 June 2024

What is Cisco intrusion detection systems (IDS) and intrusion prevention systems (IPS)? | What is the difference between IPS and IDS? | How to configure Cisco intrusion prevention systems (IPS)? cyber security | intrusion prevention

 An intrusion prevention system (IPS) is a network security tool is also known as Intrusion Detection and Prevention System. (which can be a hardware device or software). An intrusion prevention system (IPS) continuously monitors a network for malicious activity and takes action to prevent it, including reporting, blocking, or dropping it, when it does occur. intrusion prevention system (IPS) is placed inline in the network traffic flow between the source and destination. IPS analyzes all traffic flows that enter the network and can detect or prevent network security attacks.




What do IPS and IDS sensors do?

An IPS/IDS sensor is a device that continuously monitors the  traffic on the network and then makes a decision based on a set of rules to indicate whether that traffic is okay or whether it is malicious in some way. 


An intrusion prevention system (IPS) is placed directly inline with the flow of network traffic and each packet goes through the IPS sensor on its way. if the malicious traffic is found by the IPS it can drop the packet and deny reaching the destination based on the rules configured. this concept is called IPS. The IPS adds a small amount of delay before forwarding packets. because the IPS is inline, it can manipulate traffic inline based on a current set of rules. 

What is the inline sensor?

A sensor is placed inline with the traffic, which means whatever the network traffic is going through the network is forced to go in one physical port on the sensor and the sensor is going to analyze the traffic. let's take a look at inline topology. 




The instruction detection system also continuously monitors the network traffic analyzes the traffic identifies the malicious packets and generates alerts but IDS can not prevent the attack by dropping the packets because this is an intrusion detection system not prevention. The original packet is already on its way to reach the destination so how it can drop the packet. IDS is not inline with the flow of network traffic, IDS is sent copies of the original packets. IPS adds a small amount of delay but IDS does not add any delay to the original network traffic. IDS cannot manipulate any original inline traffic. let's take a look of IDS not inline. 



IPS/IDS sensor platform

We must use IPS/IDS sensors in our network and enhance network protection. Cisco has several IPS/IDS sensor platforms that enable us to implement network protection as follows:

  • A dedicated IPS appliance
  • Software based on the router
  • A module in an IOS router like AIM-IPS, NME-IPS
  • A multilayer switches a blade that works in a 6500 series
  • Cisco firepower7000/8000 series appliance
  • ASA with firepower services 


Malicious traffic on the network identification

IPS/IDS sensors can identify the malicious packets in the network in many different ways based on the rules that are placed in the sensors, some of the rules are default, and some we can create or modify. There are several different methods IPS/IDS sensors can be configured for identifying malicious traffic.

  • Signature-based IPS/IDS
  • Policy-based IPS/IDS
  • Anomaly-based IPS/IDS
  • Reputation-based IPS/IDS

(in the next we will look deeply into these methods and actions)


Let's see how to configure the IOS Intrusion Prevention System (IPS)

Topology:-configure IOS Intrusion Prevention System (IPS)




Goal: The task is to enable IPS on R1 to scan traffic entering the 192.168.10.0 network. the Syslog server 192.168.10.20 is used to log IPS messages. From the pc-red zone attempting to ping the PC-green zone should fail and from the pc-green zone attempting to ping the PC-red zone should pass.

  • Enable IOS IPS 
  • Enable the security technology package
  • Verify network connectivity
  • Create an IOS IPS configuration directory in Flash
  • Configure the IPS signature location
  • Create an IPS rule
  • Enable logging
  • Configure IOS IPS to use the signature categories
  • Apply the IPS rule to an interface

  • Modify the signature 
  • Change the event action of the signature
  • Verify that IPS is working properly 
  • Fom pc-redzone attempt to ping PC-greenzone should fail
  • From pc-greenzone attempt to ping PC-redzone should pass
  • View the Syslog messages





Router(config)#interface gigabitEthernet 0/0
Router(config-if)#ip address 192.168.20.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
 
Router(config)#interface gigabitethernet 0/1
Router(config-if)#ip address 192.168.10.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
 
Router(config)#ip route 192.168.40.0 255.255.255.0 192.168.20.2
Router(config)#exit
 
Router2(config)#interface gigabitEthernet 0/1
Router2(config-if)#ip address 192.168.20.2 255.255.255.0
Router2(config-if)#no shutdown
Router2(config-if)#exit
 
Router2(config)#interface gigabitEthernet 0/0
Router2(config-if)#ip address 192.168.30.1 255.255.255.0
Router2(config-if)#no shutdown
Router2(config-if)#exit
 
Router2(config)#ip route 192.168.10.0 255.255.255.0 192.168.20.1
Router2(config)#ip route 192.168.40.0 255.255.255.0 192.168.30.2
Router2(config)#exit
Router3(config)#interface gigabitEthernet 0/0
Router3(config-if)#ip address 192.168.30.2 255.255.255.0
Router3(config-if)#no shutdown
Router3(config-if)#exit
 
Router3(config)#interface gigabitEthernet 0/1
Router3(config-if)#ip address 192.168.40.1 255.255.255.0
Router3(config-if)#no shutdown
Router3(config-if)#exit
 
Router3(config)#ip route 192.168.10.0 255.255.255.0 192.168.30.1
Router3(config)#exit
 
 
 
Router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
 
Gateway of last resort is not set
 
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, GigabitEthernet0/1
L 192.168.10.1/32 is directly connected, GigabitEthernet0/1
192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.20.0/24 is directly connected, GigabitEthernet0/0
L 192.168.20.1/32 is directly connected, GigabitEthernet0/0
S 192.168.40.0/24 [1/0] via 192.168.20.2
 
 
 
 
Router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
 
Gateway of last resort is not set
 
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, GigabitEthernet0/1
L 192.168.10.1/32 is directly connected, GigabitEthernet0/1
192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.20.0/24 is directly connected, GigabitEthernet0/0
L 192.168.20.1/32 is directly connected, GigabitEthernet0/0
S 192.168.40.0/24 [1/0] via 192.168.20.2
 
Router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
 
Gateway of last resort is not set
 
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, GigabitEthernet0/1
L 192.168.10.1/32 is directly connected, GigabitEthernet0/1
192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.20.0/24 is directly connected, GigabitEthernet0/0
L 192.168.20.1/32 is directly connected, GigabitEthernet0/0
S 192.168.40.0/24 [1/0] via 192.168.20.2
 
 
 
 
Router#show version
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc2)
 
 
License Info:
 
License UDI:
 
-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO1941/K9 FTX1524UTQ7-
 
 
Technology Package License Information for Module:'c1900'
 
----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
-----------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security None None None
data None None None
 
Configuration register is 0x2102
 
 
Router(config)#license boot module c1900 technology-package securityk9
 
PLEASE READ THE FOLLOWING TERMS CAREFULLY. INSTALLING THE LICENSE
 
ACCEPT? [yes/no]: yes
% use 'write' command to make license boot config take effect on next boot
 
Router(config)#: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = C1900 Next reboot level = securityk9 and License = securityk9
 
Router#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
 
Router#reload
Proceed with reload? [confirm]

Router#mkdir ipsdir
Create directory filename [ipsdir]?
Created dir flash:ipsdir

Router(config)#ip ips config location flash:ipsdir

Router(config)#ip ips ?
config Location of IPS configuration files
fail Specify what to do during any failures
name Specify an IPS rule
notify Specify the notification mechanisms (SDEE or log) for
the alarms
signature-category Signature Category
signature-definition Signature Definition

Router(config)#ip ips name iosips
Router(config)#ip ips notify log
Router(config)#service timestamps log datetime msec
Router(config)#logging host 192.168.10.20
Router(config)#ip ips signature-category


Router(config-ips-category)#?

category Category keyword

exit Exit from Category Mode

no Negate or set default values of a command



Router(config-ips-category)#category all


Router(config-ips-category-action)#?

exit Exit from Category Actions Mode

no Negate or set default values of a command

retired Retire Category Signatures



Router(config-ips-category-action)#retired true

Router(config-ips-category-action)#exit


Router(config-ips-category)#category ?

all All Categories

ios_ips IOS IPS (more sub-categories


Router(config-ips-category)#category ios_ips basic

Router(config-ips-category-action)#retired false

Router(config-ips-category-action)#exit

Router(config-ips-category)#exit


Do you want to accept these changes? [confirm]

Applying Category configuration to signatures ...

%IPS-6-ENGINE_BUILDING: atomic-ip - 288 signatures - 6 of 13 engines

%IPS-6-ENGINE_READY: atomic-ip - build time 30 ms - packets for this engine will be scanned

Router(config)#interface gigabitEthernet 0/1

Router(config-if)#ip ips iosips out

Router(config-if)#exit


*Mar 01, 00:16:37.1616: %IPS-6-ENGINE_BUILDS_STARTED: 00:16:37 UTC Mar 01 1993

*Mar 01, 00:16:37.1616: %IPS-6-ENGINE_BUILDING: atomic-ip - 3 signatures - 1 of 13 engines

*Mar 01, 00:16:37.1616: %IPS-6-ENGINE_READY: atomic-ip - build time 8 ms - packets for this engine will be scanned

*Mar 01, 00:16:37.1616: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 8 ms


*Mar 01, 00:16:53.1616: %SYS-5-CONFIG_I: Configured from console by console

*Mar 01, 00:16:53.1616: *Mar 01, 00:16:53.1616: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.10.20 port 514 started - CLI initiated



Router(config)#ip ips signature-definition

Router(config-sigdef)#signature 2004 0

Router(config-sigdef-sig)#status

Router(config-sigdef-sig-status)#retired false

Router(config-sigdef-sig-status)#enable true

Router(config-sigdef-sig-status)#exit



Router(config-sigdef-sig)#?

engine Engine

exit Exit from Signature Definition Mode

status Status


Router(config-sigdef-sig)#engin

Router(config-sigdef-sig-engine)#event-action ?

deny-packet-inline Deny Packet

produce-alert Produce Alert

Router(config-sigdef-sig-engine)#event-action produce-alert

Router(config-sigdef-sig-engine)#event-action deny-packet-inline

Router(config-sigdef-sig-engine)#exit

Router(config-sigdef-sig)#exit

Router(config-sigdef)#exit


Do you want to accept these changes? [confirm]


%IPS-6-ENGINE_BUILDS_STARTED:

%IPS-6-ENGINE_BUILDING: atomic-ip - 303 signatures - 3 of 13 engines

%IPS-6-ENGINE_READY: atomic-ip - build time 480 ms - packets for this engine will be scanned

%IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 648 ms




Router#show ip ips all

IPS Signature File Configuration Status

Configured Config Locations: flash:ipsdir

Last signature default load time:

Last signature delta load time:

Last event action (SEAP) load time: -none-


General SEAP Config:

Global Deny Timeout: 3600 seconds

Global Overrides Status: Enabled

Global Filters Status: Enabled


IPS Auto Update is not currently configured


IPS Syslog and SDEE Notification Status

Event notification through syslog is enabled

Event notification through SDEE is enabled


IPS Signature Status

Total Active Signatures: 1

Total Inactive Signatures: 0


IPS Packet Scanning and Interface Status

IPS Rule Configuration

IPS name iosips

IPS fail closed is disabled

IPS deny-action ips-interface is false

Fastpath ips is enabled

Quick run mode is enabled

Interface Configuration

Interface GigabitEthernet0/1

Inbound IPS rule is not set

Outgoing IPS rule is iosips


IPS Category CLI Configuration:

Category all

Retire: True

Category ios_ips basic

Retire: False


C:\>ipconfig


FastEthernet0 Connection:(default port)


Link-local IPv6 Address.........: FE80::202:16FF:FE76:76AD

IP Address......................: 192.168.10.10

Subnet Mask.....................: 255.255.255.0

Default Gateway.................: 192.168.10.1


Bluetooth Connection:


Link-local IPv6 Address.........: ::

IP Address......................: 0.0.0.0

Subnet Mask.....................: 0.0.0.0

Default Gateway.................: 0.0.0.0


C:\>ping 192.168.40.10


Pinging 192.168.40.10 with 32 bytes of data:


Reply from 192.168.40.10: bytes=32 time<1ms TTL=125

Reply from 192.168.40.10: bytes=32 time<1ms TTL=125

Reply from 192.168.40.10: bytes=32 time<1ms TTL=125

Reply from 192.168.40.10: bytes=32 time=2ms TTL=125


Ping statistics for 192.168.40.10:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 2ms, Average = 0ms



C:\>ipconfig


FastEthernet0 Connection:(default port)


Link-local IPv6 Address.........: FE80::201:43FF:FEBA:6555

IP Address......................: 192.168.40.10

Subnet Mask.....................: 255.255.255.0

Default Gateway.................: 192.168.40.1


Bluetooth Connection:


Link-local IPv6 Address.........: ::

IP Address......................: 0.0.0.0

Subnet Mask.....................: 0.0.0.0

Default Gateway.................: 0.0.0.0


C:\>ping 192.168.10.10


Pinging 192.168.10.10 with 32 bytes of data:


Request timed out.

Request timed out.

Request timed out.

Request timed out.


Ping statistics for 192.168.10.10:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


C:\>ping 192.168.10.10


Pinging 192.168.10.10 with 32 bytes of data:


Request timed out.

Request timed out.

Request timed out.

Request timed out.


Ping statistics for 192.168.10.10:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


C:\>







Router#

*Mar 01, 00:25:49.2525: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25

*Mar 01, 00:25:55.2525: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25

*Mar 01, 00:26:01.2626: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25

*Mar 01, 00:26:07.2626: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25

*Mar 01, 00:27:35.2727: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25

*Mar 01, 00:27:41.2727: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25

*Mar 01, 00:27:47.2727: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25

*Mar 01, 00:27:53.2727: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25









What is layer 3 etherchannel? How to configure layer 3 etherchannel?

EtherChannel technology allows us to bundle multiple physical links into one logical link. It is used to increase the bandwidth and provide ...