Thursday, 13 June 2024

What is AAA Authentication, Authorization, and Accounting? What is ACS server? Cyber security

What is AAA  Authentication, Authorization, and Accounting?  


Authentication, Authorization, and Accounting (AAA) is a standard-based framework that provides a set of security services. Which device or computer is permitted to use the network resources with the help of AAA authentication and what they are allowed to do means use the internet or access CLI with telnet or SSH through AAA authorization and AAA accounting captures all the information about that particular user means time and date and what actions user performed while accessing the network. AAA combined process is essential for our network security, AAA helps us to ensure that only authorized users can access network resources and AAA also records the actions performed by the user in the network.





Authentication-

Authentication is the process by which AAA identifies the user, a user wants permission to use the network resource and AAA authentication asks for some credentials such as username and password, USB key, or fingerprint. Now AAA system verifies these credentials against a database to identify the authenticated user.  If the user-provided credentials match with the AAA database credentials the user is authenticated and if the credentials do not match then the user can not use the network resources. You can use the local database for AAA authentication on route or a switch but for big organizations, you must use an external server such as the ACS server. Authentication is a must for network access or device access. 


Authorization

An authenticated user gained access after the authentication process now AAA authorization means what resources that particular user is allowed to access and what action the user can perform. For example, if a member of the IT team's junior network engineer wants to access the router and configure some routing configuration but this user should not access all these resources the administrator can create a view and allow show commands and ping commands only in that view. Now the junior network engineer is only authorized to perform show commands and ping commands. The administrator can use authorization methods how the user is authorized for network resources through the local database or ACS server.





 Accounting

AAA accounting monitors and captures user activity, while the user is logged in to the network. Accounting collects information on how long the user is active in the network, the data the user sends or receives, the IP address, the URI they used, and the different services the user accessed. Accounting is very useful for analyzing user activity.


AAA implementation

AAA implementation can be done by using the local database on devices such as routers or switches. We can also implement AAA with an external server like an ACS access control server. If you have a small number of devices then you can use the local database on the router but if you have a big organization then use an external server such as ACS.

Let’s take the overview of both methods: 

Local database


Local database- we can implement an AAA local database on a router or a switch. We should create user authentication for each user, then configure AAA authorization to assign privilege levels for each user to define what this user is authorized for and what commands this user can execute on the device. After that configure AAA accounting for the device to log user activities like login time and the commands users execute.


ACS Server

External server ACS is the most common method used for AAA implementation in the network. First authentication- a user or device like a printer sends an authentication request to the ACS server, ACS holds the user credentials and compares them to the database. Second authorization ACS server provides information about the network and what resources the user can access. Third accounting ACS server records user actions and generates reports. 


Types of AAA Protocols

 
  • Remote authentication dial-in user service (RADIUS)
  • Terminal access controller access-control system plus (TACACS+)
  • Diameter
(in the next blog we will see AAA protocols and the ACS server)

 Let's see the configuration of the AAA  Local database:

Topology:


 

Goal:

  • configure the IP addresses as per the topology
  • ensure the reachability between the PC and router
  • configure AAA authentication with local database
  • configure AAA authentication list name (internet)
  • configure login authentication on console and line vty
  • verify the authentication from PC
Router(config)#interface gigabitEthernet 0/0
Router(config-if)#ip address 10.1.1.1 255.0.0.0
Router(config-if)#no shutdown
Router(config-if)#exit
 
Router(config)#username admin password admin
 
Router(config)#aaa new-model
Router(config)#aaa authentication login internet local
Router(config)#line console 0
Router(config-line)#login authentication internet
Router(config-line)#exit
 
Router(config)#line vty 0 4
Router(config-line)#login authentication internet
Router(config-line)#exit
Router(config)#end
Router#exit
 
Router con0 is now available
 

 


User Access Verification
 
Username: admin
Password:
Router>enable
Router#show aaa sessions
Total sessions since last reload: 3

 



(IF YOU LIKE THIS BLOG PLEASE VISIT OUR YOUTUBE CHANNEL https://www.youtube.com/@internetworkss

Wednesday, 12 June 2024

What is MST multiple spanning tree IEEE 801s? What is the MSTP regions? What is MST instance? How to configure MSTP and tune or modify?

 IEEE 802.1s Multiple spanning tree (MST), sometimes referred to as multiple STP (MSTP). MST allows us to create Multiple spanning trees inside a single network. Each spanning tree is called an instance and this instance has its own root bridge, forwarding topology. An instance can be mapped with one or more VLANs. For example:

  • VLANs 10,20 and 30 are mapped in instance 1
  • VLANs 40,50 and 60 are mapped in instance 2

Now VLANs 10,20 and 30 follow different paths on the same physical network and VLANs 40,50 and 60 follow different paths and have different root bridges and forwarding paths.

multiple spanning tree is not like RPVST or PVST+ where each VLAN requires a separate instance. Let's take an example of PVST+ when we have 50 VLANs configured this means there are 50 instances of spanning tree running and this consumes a lot of CPU and memory. MST needs only one set of STP messages for each MST instance.  MST is the solution where we can map different VLANs to one or more instances as per the requirement.

 

An MST region is a group of switches that together use MST in a consistent way. They run the same number of MST instances and map the same sets of VLANs onto these instances, among other things. The switches in the MST region must have the same configuration parameters as follows:

 

  • Region name: means the name of that particular region or group of MST switches.
  • Revision number: means the number indicates the version of the configuration
  • VLAN to Instance map: means a table of assignments for each VLAN to an instance

The switch outside the MST region will not see the MST region for outside the region switch, it looks like it's communicating to a big switch.

 

Multiple spanning tree (MST) instance

MST instance is a logical entity that defines a one-spanning tree for multiple VLANs, instance name is 32 bytes. MST instance number is in the range of 0 – 4095 but the different switch platforms support different numbers of range for example catalyst 2950 has the range of 0 – 15 and catalyst 3560 has the range of 0 – 4094. Now the important thing is out of the MST instance there is a special instance called instance 0 and this is also called the internal spanning tree (IST). Instance 0 or IST is default already exists. Instance 0 is the only instance that interacts with outside MST region switches and provides a loop-free environment to the region.  

Configuring MST requires pre-planning because it is necessary to decide where their MST boundaries shall be placed and where the regions shall be placed.  

MST allows us to tune the root bridge for instance modify costs and make primary or secondary.

 Now let's see the configuration:

Topology:


Goal:

  • configure the trunk with nonnegotiable between switches ethernet 0/0-1
  • configure VTP domain MSTP and version 2 for sync VLAN information
  • configure switch 1 and switch 3 VTP server and the rest of the switch clients
  • configure VLANs 10,20,30,40,50,60 on any VTP server
  • configure Multiple spanning tree on all the switches 
  • configure VLAN 10,20, and 30 in MST 1 instance 
  • configure VLAN 40,50 and 60 in MST 2 instance
  • configure region name MSTP and revision number 1
  • by default our switch 1 is the root bridge for all the VLANs
  • configure tunning for instance 1 means the VLAN 10,20,30 root bridge will be switch 1 and for instance, 2 switch 3 will be the root bridge. 
Switch-1-(config)#interface range ethernet 0/0 - 1
Switch-1-(config-if-range)#switchport
Switch-1-(config-if-range)#switchport trunk encapsulation dot1q
Switch-1-(config-if-range)#switchport mode trunk
Switch-1-(config-if-range)#switchport nonegotiate
Switch-1-(config-if-range)#exit

*Jun 12 10:05:37.389: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
*Jun 12 10:05:37.404: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up

Switch-2-(config)#interface range ethernet 0/0 - 1
Switch-2-(config-if-range)#switchport
Switch-2-(config-if-range)#switchport trunk encapsulation dot1q
Switch-2-(config-if-range)#switchpot mode trunk
Switch-2-(config-if-range)#switchport nonegotiate
Switch-2-(config-if-range)#exit

*Jun 12 10:07:56.489: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
*Jun 12 10:07:56.521: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up

Switch-3-(config)#interface range ethernet 0/0 - 1
Switch-3-(config-if-range)#switchport
Switch-3-(config-if-range)#switchport trunk encapsulation dot1q
Switch-3-(config-if-range)#switchport mode trunk
Switch-3-(config-if-range)#switchport nonegotiate
Switch-3-(config-if-range)#exit

*Jun 12 10:13:46.936: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
*Jun 12 10:13:46.951: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up

Switch-4-(config)#interface range ethernet 0/0 - 1
Switch-4-(config-if-range)#switchport
Switch-4-(config-if-range)#switchport trunk encapsulation dot1q
Switch-4-(config-if-range)#switchport mode trunk
Switch-4-(config-if-range)#switch nonegotiate
Switch-4-(config-if-range)#exit
Switch-4-(config)#end
*Jun 12 10:16:12.123: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
*Jun 12 10:16:12.139: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up

Switch-1-(config)#vtp domain MSTP
Switch-1-(config)#vtp version 2
Switch-1-(config)#vtp mode server
Switch-1-(config)#exit

Switch-1-#show vtp status
VTP Version capable             : 1 to 3
VTP version running             : 2
VTP Domain Name                 : MSTP
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : aabb.cc00.0100
Configuration last modified by 0.0.0.0 at 6-12-24 10:40:51
Local updater ID is 0.0.0.0 (no valid interface found)

Feature VLAN:
--------------
VTP Operating Mode                : Server
Maximum VLANs supported locally   : 1005
Number of existing VLANs          : 5
Configuration Revision            : 1
MD5 digest                        : 0x25 0xBA 0x4E 0x29 0x64 0xC6 0x11 0x76
                                    0xD4 0x1E 0xC2 0x6B 0x69 0xEB 0x26 0x7A


Switch-2-(config)#vtp domain MSTP
Switch-2-(config)#vtp version 2
Switch-2-(config)#vtp mode client
Switch-2-(config)#exit



Switch-3-(config)#vtp domain MSTP
Switch-3-(config)#vtp version 2
Switch-3-(config)#vtp mode client
Switch-3-(config)#exit

Switch-3-#show vtp status
VTP Version capable             : 1 to 3
VTP version running             : 2
VTP Domain Name                 : MSTP
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : aabb.cc00.0300
Configuration last modified by 0.0.0.0 at 6-12-24 10:40:51

Feature VLAN:
--------------
VTP Operating Mode                : Client
Maximum VLANs supported locally   : 1005
Number of existing VLANs          : 5
Configuration Revision            : 1
MD5 digest                        : 0x25 0xBA 0x4E 0x29 0x64 0xC6 0x11 0x76
                                    0xD4 0x1E 0xC2 0x6B 0x69 0xEB 0x26 0x7A


Switch-4-(config)#vtp domain MSTP
Switch-4-(config)#vtp version 2
Switch-4-(config)#vtp mode client
Switch-4-(config)#exit


Switch-1-(config)#vlan 10
Switch-1-(config-vlan)#exit
Switch-1-(config)#vlan 20
Switch-1-(config-vlan)#exit
Switch-1-(config)#vlan 30
Switch-1-(config-vlan)#exit
Switch-1-(config)#vlan 40
Switch-1-(config-vlan)#exit
Switch-1-(config)#vlan 50
Switch-1-(config-vlan)#exit
Switch-1-(config)#vlan 60
Switch-1-(config-vlan)#exit

Switch-2-#show vlan
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active
10   VLAN0010                         active
20   VLAN0020                         active
30   VLAN0030                         active
40   VLAN0040                         active
50   VLAN0050                         active
60   VLAN0060                         active

Switch-3-#show vlan
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active
10   VLAN0010                         active
20   VLAN0020                         active
30   VLAN0030                         active
40   VLAN0040                         active
50   VLAN0050                         active
60   VLAN0060                         active

(as you can see by default switch 1 is the root for all VLANs)

Switch-1-#show spanning-tree

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     aabb.cc00.0100
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     aabb.cc00.0100
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0               Desg BKN*100       128.1    Shr *PVID_Inc
Et0/1               Desg BKN*100       128.2    Shr *PVID_Inc



Switch-1-(config)#spanning-tree mode mst
Switch-1-(config)#spanning-tree mst configuration
Switch-1-(config-mst)#revision 1
Switch-1-(config-mst)#name MSTP
Switch-1-(config-mst)#instance 1 vlan 10,20,30
Switch-1-(config-mst)#instance 2 vlan 40,50,60
Switch-1-(config-mst)#exit


Switch-1-#show spanning-tree mst configuration
Name      [MSTP]
Revision  1     Instances configured 3

Instance  Vlans mapped
--------  ---------------------------------------------------------------------
0         1-9,11-19,21-29,31-39,41-49,51-59,61-4094
1         10,20,30
2         40,50,60
-------------------------------------------------------------------------------





Switch-1-#show spanning-tree mst

##### MST0    vlans mapped:   1-9,11-19,21-29,31-39,41-49,51-59,61-4094
Bridge        address aabb.cc00.0100  priority      32768 (32768 sysid 0)
Root          this switch for the CIST
Operational   hello time 2 , forward delay 15, max age 20, txholdcount 6
Configured    hello time 2 , forward delay 15, max age 20, max hops    20

Interface                        Role Sts Cost      Prio.Nbr Type
----------------                 ---- --- --------- -------- --------------------------------
Et0/0                            Desg FWD 2000000   128.1    Shr
Et0/1                            Desg FWD 2000000   128.2    Shr

##### MST1    vlans mapped:   10,20,30
Bridge        address aabb.cc00.0100  priority      32769 (32768 sysid 1)
Root          this switch for MST1

Interface                        Role Sts Cost      Prio.Nbr Type
----------------                 ---- --- --------- -------- --------------------------------
Et0/0                            Desg FWD 2000000   128.1    Shr
Et0/1                            Desg FWD 2000000   128.2    Shr

##### MST2    vlans mapped:   40,50,60
Bridge        address aabb.cc00.0100  priority      32770 (32768 sysid 2)
Root          this switch for MST2

Interface                        Role Sts Cost      Prio.Nbr Type
----------------                 ---- --- --------- -------- --------------------------------
Et0/0                            Desg FWD 2000000   128.1    Shr
Et0/1                            Desg FWD 2000000   128.2    Shr


Switch-2-(config)#spanning-tree mode mst
Switch-2-(config)#spanning-tree mst configuration
Switch-2-(config-mst)#revision 1
Switch-2-(config-mst)#name MSTP
Switch-2-(config-mst)#instance 1 vlan 10,20,30
Switch-2-(config-mst)#instance 2 vlan 40,50,60
Switch-2-(config-mst)#exit

Switch-3-(config)#spanning-tree mode mst
Switch-3-(config)#spanning-tree mst configuration
Switch-3-(config-mst)#revision 1
Switch-3-(config-mst)#name MSTP
Switch-3-(config-mst)#instance 1 vlan 10,20,30
Switch-3-(config-mst)#instance 2 vlan 40,50,60
Switch-3-(config-mst)#exit

Switch-4-(config)#spanning-tree mode mst
Switch-4-(config)#spanning-tree mst configuration
Switch-4-(config-mst)#revision 1
Switch-4-(config-mst)#name MSTP
Switch-4-(config-mst)#instance 1 vlan 10,20,30
Switch-4-(config-mst)#instance 2 vlan 40,50,60
Switch-4-(config-mst)#exit

Switch-1-#show spanning-tree mst 1

##### MST1    vlans mapped:   10,20,30
Bridge        address aabb.cc00.0100  priority      32769 (32768 sysid 1)
Root          this switch for MST1

Interface                        Role Sts Cost      Prio.Nbr Type
----------------                 ---- --- --------- -------- --------------------------------
Et0/0                            Desg FWD 2000000   128.1    Shr
Et0/1                            Desg FWD 2000000   128.2    Shr

Switch-1-#
Switch-1-#
Switch-1-#show spanning-tree mst 2

##### MST2    vlans mapped:   40,50,60
Bridge        address aabb.cc00.0100  priority      32770 (32768 sysid 2)
Root          this switch for MST2

Interface                        Role Sts Cost      Prio.Nbr Type
----------------                 ---- --- --------- -------- --------------------------------
Et0/0                            Desg FWD 2000000   128.1    Shr
Et0/1                            Desg FWD 2000000   128.2    Shr


Switch-1-(config)#spanning-tree mst 1 root primary
Switch-1-(config)#spanning-tree mst 2 root secondary
Switch-1-(config)#exit


Switch-1-#show spanning-tree mst 1

##### MST1    vlans mapped:   10,20,30
Bridge        address aabb.cc00.0100  priority      24577 (24576 sysid 1)
Root          this switch for MST1
Interface                        Role Sts Cost      Prio.Nbr Type
----------------                 ---- --- --------- -------- --------------------------------
Et0/0                            Desg FWD 2000000   128.1    Shr
Et0/1                            Desg FWD 2000000   128.2    Shr

Switch-1-#show spanning-tree mst 2
##### MST2    vlans mapped:   40,50,60
Bridge        address aabb.cc00.0100  priority      28674 (28672 sysid 2)
Root          address aabb.cc00.0300  priority      2     (0 sysid 2)
            port    Et0/0           cost      4000000              rem hops 18
Interface                        Role Sts Cost      Prio.Nbr Type
----------------                 ---- --- --------- -------- --------------------------------
Et0/0                            Root FWD 2000000   128.1    Shr
Et0/1                            Altn BLK 2000000   128.2    Shr

(as you can see the above outcome switch 1 is the root bridge for MST instance 1 but not for MST instance 2)

Switch-3-(config)#spanning-tree mst 2 root primary
Switch-3-(config)#spanning-tree mst 1 root secondary



Switch-3-#show spanning-tree mst 2

##### MST2    vlans mapped:   40,50,60
Bridge        address aabb.cc00.0300  priority      2     (0 sysid 2)
Root          this switch for MST2

Interface                        Role Sts Cost      Prio.Nbr Type
----------------                 ---- --- --------- -------- --------------------------------
Et0/0                            Desg FWD 2000000   128.1    Shr
Et0/1                            Desg FWD 2000000   128.2    Shr

Switch-3-#show spanning-tree mst 1

##### MST1    vlans mapped:   10,20,30
Bridge        address aabb.cc00.0300  priority      28673 (28672 sysid 1)
Root          address aabb.cc00.0100  priority      24577 (24576 sysid 1)
            port    Et0/1           cost      4000000              rem hops 18

Interface                        Role Sts Cost      Prio.Nbr Type
----------------                 ---- --- --------- -------- --------------------------------
Et0/0                            Altn BLK 2000000   128.1    Shr
Et0/1                            Root FWD 2000000   128.2    Shr

(as you can see switch 3 is the root bridge for MST instance 2 but not for 1)

if you like this blog please visit to our YouTube channel https://www.youtube.com/@internetworkss

Tuesday, 11 June 2024

What is Cisco intrusion detection systems (IDS) and intrusion prevention systems (IPS)? | What is the difference between IPS and IDS? | How to configure Cisco intrusion prevention systems (IPS)? cyber security | intrusion prevention

 An intrusion prevention system (IPS) is a network security tool is also known as Intrusion Detection and Prevention System. (which can be a hardware device or software). An intrusion prevention system (IPS) continuously monitors a network for malicious activity and takes action to prevent it, including reporting, blocking, or dropping it, when it does occur. intrusion prevention system (IPS) is placed inline in the network traffic flow between the source and destination. IPS analyzes all traffic flows that enter the network and can detect or prevent network security attacks.




What do IPS and IDS sensors do?

An IPS/IDS sensor is a device that continuously monitors the  traffic on the network and then makes a decision based on a set of rules to indicate whether that traffic is okay or whether it is malicious in some way. 


An intrusion prevention system (IPS) is placed directly inline with the flow of network traffic and each packet goes through the IPS sensor on its way. if the malicious traffic is found by the IPS it can drop the packet and deny reaching the destination based on the rules configured. this concept is called IPS. The IPS adds a small amount of delay before forwarding packets. because the IPS is inline, it can manipulate traffic inline based on a current set of rules. 

What is the inline sensor?

A sensor is placed inline with the traffic, which means whatever the network traffic is going through the network is forced to go in one physical port on the sensor and the sensor is going to analyze the traffic. let's take a look at inline topology. 




The instruction detection system also continuously monitors the network traffic analyzes the traffic identifies the malicious packets and generates alerts but IDS can not prevent the attack by dropping the packets because this is an intrusion detection system not prevention. The original packet is already on its way to reach the destination so how it can drop the packet. IDS is not inline with the flow of network traffic, IDS is sent copies of the original packets. IPS adds a small amount of delay but IDS does not add any delay to the original network traffic. IDS cannot manipulate any original inline traffic. let's take a look of IDS not inline. 



IPS/IDS sensor platform

We must use IPS/IDS sensors in our network and enhance network protection. Cisco has several IPS/IDS sensor platforms that enable us to implement network protection as follows:

  • A dedicated IPS appliance
  • Software based on the router
  • A module in an IOS router like AIM-IPS, NME-IPS
  • A multilayer switches a blade that works in a 6500 series
  • Cisco firepower7000/8000 series appliance
  • ASA with firepower services 


Malicious traffic on the network identification

IPS/IDS sensors can identify the malicious packets in the network in many different ways based on the rules that are placed in the sensors, some of the rules are default, and some we can create or modify. There are several different methods IPS/IDS sensors can be configured for identifying malicious traffic.

  • Signature-based IPS/IDS
  • Policy-based IPS/IDS
  • Anomaly-based IPS/IDS
  • Reputation-based IPS/IDS

(in the next we will look deeply into these methods and actions)


Let's see how to configure the IOS Intrusion Prevention System (IPS)

Topology:-configure IOS Intrusion Prevention System (IPS)




Goal: The task is to enable IPS on R1 to scan traffic entering the 192.168.10.0 network. the Syslog server 192.168.10.20 is used to log IPS messages. From the pc-red zone attempting to ping the PC-green zone should fail and from the pc-green zone attempting to ping the PC-red zone should pass.

  • Enable IOS IPS 
  • Enable the security technology package
  • Verify network connectivity
  • Create an IOS IPS configuration directory in Flash
  • Configure the IPS signature location
  • Create an IPS rule
  • Enable logging
  • Configure IOS IPS to use the signature categories
  • Apply the IPS rule to an interface

  • Modify the signature 
  • Change the event action of the signature
  • Verify that IPS is working properly 
  • Fom pc-redzone attempt to ping PC-greenzone should fail
  • From pc-greenzone attempt to ping PC-redzone should pass
  • View the Syslog messages





Router(config)#interface gigabitEthernet 0/0
Router(config-if)#ip address 192.168.20.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
 
Router(config)#interface gigabitethernet 0/1
Router(config-if)#ip address 192.168.10.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
 
Router(config)#ip route 192.168.40.0 255.255.255.0 192.168.20.2
Router(config)#exit
 
Router2(config)#interface gigabitEthernet 0/1
Router2(config-if)#ip address 192.168.20.2 255.255.255.0
Router2(config-if)#no shutdown
Router2(config-if)#exit
 
Router2(config)#interface gigabitEthernet 0/0
Router2(config-if)#ip address 192.168.30.1 255.255.255.0
Router2(config-if)#no shutdown
Router2(config-if)#exit
 
Router2(config)#ip route 192.168.10.0 255.255.255.0 192.168.20.1
Router2(config)#ip route 192.168.40.0 255.255.255.0 192.168.30.2
Router2(config)#exit
Router3(config)#interface gigabitEthernet 0/0
Router3(config-if)#ip address 192.168.30.2 255.255.255.0
Router3(config-if)#no shutdown
Router3(config-if)#exit
 
Router3(config)#interface gigabitEthernet 0/1
Router3(config-if)#ip address 192.168.40.1 255.255.255.0
Router3(config-if)#no shutdown
Router3(config-if)#exit
 
Router3(config)#ip route 192.168.10.0 255.255.255.0 192.168.30.1
Router3(config)#exit
 
 
 
Router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
 
Gateway of last resort is not set
 
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, GigabitEthernet0/1
L 192.168.10.1/32 is directly connected, GigabitEthernet0/1
192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.20.0/24 is directly connected, GigabitEthernet0/0
L 192.168.20.1/32 is directly connected, GigabitEthernet0/0
S 192.168.40.0/24 [1/0] via 192.168.20.2
 
 
 
 
Router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
 
Gateway of last resort is not set
 
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, GigabitEthernet0/1
L 192.168.10.1/32 is directly connected, GigabitEthernet0/1
192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.20.0/24 is directly connected, GigabitEthernet0/0
L 192.168.20.1/32 is directly connected, GigabitEthernet0/0
S 192.168.40.0/24 [1/0] via 192.168.20.2
 
Router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
 
Gateway of last resort is not set
 
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, GigabitEthernet0/1
L 192.168.10.1/32 is directly connected, GigabitEthernet0/1
192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.20.0/24 is directly connected, GigabitEthernet0/0
L 192.168.20.1/32 is directly connected, GigabitEthernet0/0
S 192.168.40.0/24 [1/0] via 192.168.20.2
 
 
 
 
Router#show version
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc2)
 
 
License Info:
 
License UDI:
 
-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO1941/K9 FTX1524UTQ7-
 
 
Technology Package License Information for Module:'c1900'
 
----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
-----------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security None None None
data None None None
 
Configuration register is 0x2102
 
 
Router(config)#license boot module c1900 technology-package securityk9
 
PLEASE READ THE FOLLOWING TERMS CAREFULLY. INSTALLING THE LICENSE
 
ACCEPT? [yes/no]: yes
% use 'write' command to make license boot config take effect on next boot
 
Router(config)#: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = C1900 Next reboot level = securityk9 and License = securityk9
 
Router#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
 
Router#reload
Proceed with reload? [confirm]

Router#mkdir ipsdir
Create directory filename [ipsdir]?
Created dir flash:ipsdir

Router(config)#ip ips config location flash:ipsdir

Router(config)#ip ips ?
config Location of IPS configuration files
fail Specify what to do during any failures
name Specify an IPS rule
notify Specify the notification mechanisms (SDEE or log) for
the alarms
signature-category Signature Category
signature-definition Signature Definition

Router(config)#ip ips name iosips
Router(config)#ip ips notify log
Router(config)#service timestamps log datetime msec
Router(config)#logging host 192.168.10.20
Router(config)#ip ips signature-category


Router(config-ips-category)#?

category Category keyword

exit Exit from Category Mode

no Negate or set default values of a command



Router(config-ips-category)#category all


Router(config-ips-category-action)#?

exit Exit from Category Actions Mode

no Negate or set default values of a command

retired Retire Category Signatures



Router(config-ips-category-action)#retired true

Router(config-ips-category-action)#exit


Router(config-ips-category)#category ?

all All Categories

ios_ips IOS IPS (more sub-categories


Router(config-ips-category)#category ios_ips basic

Router(config-ips-category-action)#retired false

Router(config-ips-category-action)#exit

Router(config-ips-category)#exit


Do you want to accept these changes? [confirm]

Applying Category configuration to signatures ...

%IPS-6-ENGINE_BUILDING: atomic-ip - 288 signatures - 6 of 13 engines

%IPS-6-ENGINE_READY: atomic-ip - build time 30 ms - packets for this engine will be scanned

Router(config)#interface gigabitEthernet 0/1

Router(config-if)#ip ips iosips out

Router(config-if)#exit


*Mar 01, 00:16:37.1616: %IPS-6-ENGINE_BUILDS_STARTED: 00:16:37 UTC Mar 01 1993

*Mar 01, 00:16:37.1616: %IPS-6-ENGINE_BUILDING: atomic-ip - 3 signatures - 1 of 13 engines

*Mar 01, 00:16:37.1616: %IPS-6-ENGINE_READY: atomic-ip - build time 8 ms - packets for this engine will be scanned

*Mar 01, 00:16:37.1616: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 8 ms


*Mar 01, 00:16:53.1616: %SYS-5-CONFIG_I: Configured from console by console

*Mar 01, 00:16:53.1616: *Mar 01, 00:16:53.1616: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.10.20 port 514 started - CLI initiated



Router(config)#ip ips signature-definition

Router(config-sigdef)#signature 2004 0

Router(config-sigdef-sig)#status

Router(config-sigdef-sig-status)#retired false

Router(config-sigdef-sig-status)#enable true

Router(config-sigdef-sig-status)#exit



Router(config-sigdef-sig)#?

engine Engine

exit Exit from Signature Definition Mode

status Status


Router(config-sigdef-sig)#engin

Router(config-sigdef-sig-engine)#event-action ?

deny-packet-inline Deny Packet

produce-alert Produce Alert

Router(config-sigdef-sig-engine)#event-action produce-alert

Router(config-sigdef-sig-engine)#event-action deny-packet-inline

Router(config-sigdef-sig-engine)#exit

Router(config-sigdef-sig)#exit

Router(config-sigdef)#exit


Do you want to accept these changes? [confirm]


%IPS-6-ENGINE_BUILDS_STARTED:

%IPS-6-ENGINE_BUILDING: atomic-ip - 303 signatures - 3 of 13 engines

%IPS-6-ENGINE_READY: atomic-ip - build time 480 ms - packets for this engine will be scanned

%IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 648 ms




Router#show ip ips all

IPS Signature File Configuration Status

Configured Config Locations: flash:ipsdir

Last signature default load time:

Last signature delta load time:

Last event action (SEAP) load time: -none-


General SEAP Config:

Global Deny Timeout: 3600 seconds

Global Overrides Status: Enabled

Global Filters Status: Enabled


IPS Auto Update is not currently configured


IPS Syslog and SDEE Notification Status

Event notification through syslog is enabled

Event notification through SDEE is enabled


IPS Signature Status

Total Active Signatures: 1

Total Inactive Signatures: 0


IPS Packet Scanning and Interface Status

IPS Rule Configuration

IPS name iosips

IPS fail closed is disabled

IPS deny-action ips-interface is false

Fastpath ips is enabled

Quick run mode is enabled

Interface Configuration

Interface GigabitEthernet0/1

Inbound IPS rule is not set

Outgoing IPS rule is iosips


IPS Category CLI Configuration:

Category all

Retire: True

Category ios_ips basic

Retire: False


C:\>ipconfig


FastEthernet0 Connection:(default port)


Link-local IPv6 Address.........: FE80::202:16FF:FE76:76AD

IP Address......................: 192.168.10.10

Subnet Mask.....................: 255.255.255.0

Default Gateway.................: 192.168.10.1


Bluetooth Connection:


Link-local IPv6 Address.........: ::

IP Address......................: 0.0.0.0

Subnet Mask.....................: 0.0.0.0

Default Gateway.................: 0.0.0.0


C:\>ping 192.168.40.10


Pinging 192.168.40.10 with 32 bytes of data:


Reply from 192.168.40.10: bytes=32 time<1ms TTL=125

Reply from 192.168.40.10: bytes=32 time<1ms TTL=125

Reply from 192.168.40.10: bytes=32 time<1ms TTL=125

Reply from 192.168.40.10: bytes=32 time=2ms TTL=125


Ping statistics for 192.168.40.10:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 2ms, Average = 0ms



C:\>ipconfig


FastEthernet0 Connection:(default port)


Link-local IPv6 Address.........: FE80::201:43FF:FEBA:6555

IP Address......................: 192.168.40.10

Subnet Mask.....................: 255.255.255.0

Default Gateway.................: 192.168.40.1


Bluetooth Connection:


Link-local IPv6 Address.........: ::

IP Address......................: 0.0.0.0

Subnet Mask.....................: 0.0.0.0

Default Gateway.................: 0.0.0.0


C:\>ping 192.168.10.10


Pinging 192.168.10.10 with 32 bytes of data:


Request timed out.

Request timed out.

Request timed out.

Request timed out.


Ping statistics for 192.168.10.10:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


C:\>ping 192.168.10.10


Pinging 192.168.10.10 with 32 bytes of data:


Request timed out.

Request timed out.

Request timed out.

Request timed out.


Ping statistics for 192.168.10.10:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


C:\>







Router#

*Mar 01, 00:25:49.2525: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25

*Mar 01, 00:25:55.2525: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25

*Mar 01, 00:26:01.2626: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25

*Mar 01, 00:26:07.2626: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25

*Mar 01, 00:27:35.2727: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25

*Mar 01, 00:27:41.2727: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25

*Mar 01, 00:27:47.2727: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25

*Mar 01, 00:27:53.2727: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25









What is uplinkfast?

  Spanning tree UplinkFast is a Cisco-specific enhancement to the Spanning Tree Protocol (STP). It's designed to improve the convergenc...