IPS的VLAN Group
2012-06-08 13:32
330 查看
IPS VLAN group是IPS6.0之后才有的功能,其中VLAN Group杂合模式需要配置镜像时打上VLAN标签,在GNS默认不了,VLAN Group在线模式其实就是在线模式和VLAN Group的一个叠加,先配置在线接口对,接着在在线接口对上配置VLAN Group,告诉IPS上面跑了哪些VLAN,同时支持把不同的VLAN数据送到不同虚拟sensor上。
一.VLAN Group 杂合模式:
需要交换机做镜像时能够打上vlan标签,IPS可以设置多个虚拟sensor,每个sensor处理特定VLAN的流量。
二.VLAN Group 在线模式:
VLNA group在线模式,需要交换机连接IPS sersor口为trunk接口,并且在IPS上需要配置VLAN group接口对。
A.测试拓扑:
B.基本步骤:
①R1:
interface f0/0
ip add 10.1.1.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.253
②SW1:
vlan database
vlan 2
vlan 3
exit
interface f0/2
sw mo ac
sw ac vlan 2
interface f0/3
sw mo ac
sw ac vlan 3
interface f0/15
sw tr en dot1q
sw mode trunk
int vlan 2
ip add 10.1.1.253 255.255.255.0
int vlan 3
ip add 20.1.1.253 255.255.255.0
③R2:
interface f0/0
ip add 20.1.1.2 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 20.1.1.253
④R3:
interface f0/0
ip add 10.1.1.3 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.254
⑤SW2:
vlan database
vlan 2
vlan 3
exit
interface f0/2
sw mo ac
sw ac vlan 2
interface f0/3
sw mo ac
sw ac vlan 3
interface f0/15
sw tr en dot1q
sw mode trunk
int vlan 2
ip add 10.1.1.254 255.255.255.0
int vlan 3
ip add 20.1.1.254 255.255.255.0
⑥R4:
interface f0/0
ip add 20.1.1.4 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 20.1.1.254
C.IPS6配置:
①创建接口对:
②创建VLAN Groups:
③指派sensor:
[b]④调整签名库:[/b]
[b]⑤效果测试[/b]
R1#ping 10.1.1.3 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (1000/1000), round-trip min/avg/max = 1/21/316 ms
R1#
有如下告警:
evIdsAlert: eventId=1299862434698387899 vendor=Cisco severity=informational
originator:
hostId: sensor
appName: sensorApp
appInstanceId: 397
time: 2013年5月28日 下午01时05分04秒 offset=0 timeZone=UTC
signature: description=ICMP Echo Reply id=2000 version=S1 type=other created=20001127
subsigId: 0
marsCategory: Info/AllSession
interfaceGroup: vs0
vlan: 2
participants:
attacker:
addr: 10.1.1.3 locality=OUT
target:
addr: 10.1.1.1 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
riskRatingValue: 35 targetValueRating=medium attackRelevanceRating=relevant
threatRatingValue: 35
interface: ge0_1
protocol: icmp
R1#ping 20.1.1.4 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 20.1.1.4, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 12/25/112 ms
R1#
有如下告警:
evIdsAlert: eventId=1299862434698387966 vendor=Cisco severity=informational
originator:
hostId: sensor
appName: sensorApp
appInstanceId: 397
time: 2013年5月28日 下午01时06分37秒 offset=0 timeZone=UTC
signature: description=ICMP Echo Reply id=2000 version=S1 type=other created=20001127
subsigId: 0
marsCategory: Info/AllSession
interfaceGroup: vs0
vlan: 2
participants:
attacker:
addr: 20.1.1.4 locality=OUT
target:
addr: 10.1.1.1 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
riskRatingValue: 35 targetValueRating=medium attackRelevanceRating=relevant
threatRatingValue: 35
interface: ge0_1
protocol: icmp
一.VLAN Group 杂合模式:
需要交换机做镜像时能够打上vlan标签,IPS可以设置多个虚拟sensor,每个sensor处理特定VLAN的流量。
二.VLAN Group 在线模式:
VLNA group在线模式,需要交换机连接IPS sersor口为trunk接口,并且在IPS上需要配置VLAN group接口对。
A.测试拓扑:
B.基本步骤:
①R1:
interface f0/0
ip add 10.1.1.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.253
②SW1:
vlan database
vlan 2
vlan 3
exit
interface f0/2
sw mo ac
sw ac vlan 2
interface f0/3
sw mo ac
sw ac vlan 3
interface f0/15
sw tr en dot1q
sw mode trunk
int vlan 2
ip add 10.1.1.253 255.255.255.0
int vlan 3
ip add 20.1.1.253 255.255.255.0
③R2:
interface f0/0
ip add 20.1.1.2 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 20.1.1.253
④R3:
interface f0/0
ip add 10.1.1.3 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.254
⑤SW2:
vlan database
vlan 2
vlan 3
exit
interface f0/2
sw mo ac
sw ac vlan 2
interface f0/3
sw mo ac
sw ac vlan 3
interface f0/15
sw tr en dot1q
sw mode trunk
int vlan 2
ip add 10.1.1.254 255.255.255.0
int vlan 3
ip add 20.1.1.254 255.255.255.0
⑥R4:
interface f0/0
ip add 20.1.1.4 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 20.1.1.254
C.IPS6配置:
①创建接口对:
②创建VLAN Groups:
③指派sensor:
[b]④调整签名库:[/b]
[b]⑤效果测试[/b]
R1#ping 10.1.1.3 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (1000/1000), round-trip min/avg/max = 1/21/316 ms
R1#
有如下告警:
evIdsAlert: eventId=1299862434698387899 vendor=Cisco severity=informational
originator:
hostId: sensor
appName: sensorApp
appInstanceId: 397
time: 2013年5月28日 下午01时05分04秒 offset=0 timeZone=UTC
signature: description=ICMP Echo Reply id=2000 version=S1 type=other created=20001127
subsigId: 0
marsCategory: Info/AllSession
interfaceGroup: vs0
vlan: 2
participants:
attacker:
addr: 10.1.1.3 locality=OUT
target:
addr: 10.1.1.1 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
riskRatingValue: 35 targetValueRating=medium attackRelevanceRating=relevant
threatRatingValue: 35
interface: ge0_1
protocol: icmp
R1#ping 20.1.1.4 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 20.1.1.4, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 12/25/112 ms
R1#
有如下告警:
evIdsAlert: eventId=1299862434698387966 vendor=Cisco severity=informational
originator:
hostId: sensor
appName: sensorApp
appInstanceId: 397
time: 2013年5月28日 下午01时06分37秒 offset=0 timeZone=UTC
signature: description=ICMP Echo Reply id=2000 version=S1 type=other created=20001127
subsigId: 0
marsCategory: Info/AllSession
interfaceGroup: vs0
vlan: 2
participants:
attacker:
addr: 20.1.1.4 locality=OUT
target:
addr: 10.1.1.1 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
riskRatingValue: 35 targetValueRating=medium attackRelevanceRating=relevant
threatRatingValue: 35
interface: ge0_1
protocol: icmp
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- IPS在线模式实验1-VLAN Pair
- chapter9:vlan/vtp
- 中小局域网交换机VLAN配置
- ViewPager,RadioGroup,FragmentManager 详解 <五> Fragment,ViewPager 和ActionBar
- IDS和IPS的部署细节科普
- 发现一个关于GroupBox的咚咚,好玩~
- Android学习小demo(3)自定义ViewGroup 利用 scroller 实行屏幕滚动
- View与ViewGroup的区别与联系
- trunk vlan 加路由
- "killall" to kill a group of processes on linux
- 重写ViewGroup实现App第一次启动向导
- mongodb group 查询
- RadioGroup+RadioButton切换Fragment
- Ext常用问题的总结(转载自http://ext.group.javaeye.com/group/)
- Rebalance Disk Group + ASM Disk Discovery
- leetcode 25. Reverse Nodes in k-Group
- mysql5注入中group_concat的使用
- 用户(User)和用户组(Group)配置文件详解
- 自定义ViewGroup (3) 与子View之间 Touch Event的拦截与处理