Skip to content

    Configure IOS Intrusion Prevention (IPS)

    1. Create and define a directory for IPS configuration files
      2. mkdir flash:/ips
    2. Import the Cisco RSA public key (available from the cisco.com download area)
      3. crypto key pubkey-chain rsa
  named-key realm-cisco.pub signature
    key-string
    ....
    quit
    3. (optional) create an ACL to define what traffic gets inspected
      4. ip access-list extended IPS-INSPECT
  permit ip any host 1.2.3.4
  permit ip host 1.2.3.4 any
!
ios ips name IPS1 list IPS-INSPECT
    4. Retire and un-retire signature sets
      5. ip ips signature-category
  category-all
    retired true
  category ios_ips_basic
    retired false
    exit
  exit
    5. Apply the IPS configuration to an interface
      6. int gi0/0
  ip ips IPS1 in
  ip ips IPS1 out
    6. Upload signature definitions
      7. copy ftp://cisco:cisco@10.1.1.1/IOS-S310-CLI.pkg idconf
    7. (optional) enable syslog notifications for IPS events
      8. ip ips notify log
    8. (optional) enable SDEE notifications for IPS events
      9. access-list 80 permit 2.2.2.2
ip http access-class 80
ip http server enable
ip ips notify sdee
    9. (optional) Tweak individual signatures
      10. ip ips signature-definition
  signature 6130 10
    engine
      event-action produce-alert
      event-action deny-packet-inline
      exit
    exit
  exit
    10. Verification
      11. show ip ips signature count

    Based on Keith Barker’s blog post at InternetworkExpert and this Cisco.com technote.

    Posted in CCIE R&S, CCIE Security.

    Tagged with , , , , .

    No comments

    By Brian January 16, 2010

    0 Responses

    Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



    Some HTML is OK

    or, reply to this post via trackback.

    »