Lab Topology

Lab Object

Technical characteristics:

1. is an and scan each packet crossing the router which matches any one of these .

2. When discovering suspicious activities, you can take the following actions:

(1) alarm:send alarm to syslog server or Director

(2) Drop:Drop this packet

(3) Reset:reset this TCP connection(but it will continue to forward this packet, so it is recommended to perform forwarding and dropping simultaneously), when IOS IDS is enabled, IOS Firewall will be enabled automatically. Some parameters will function at this time.

For example:

ip inspect max-incomplete high

ip inspect max-incomplete low

ip inspect one-minute high

ip inspect one-minute low

Lab Process

1. Configuration of GW.

GW(config)#ip audit smtp spam 20 [k1]

GW(config)# ip audit notify nr-director [k2]

GW(config)#ip audit notify log [k3]

GW(config)#ip audit name MYIDS info action alarm

GW(config)#ip audit name MYIDS attack action alarm drop reset

GW(config)#inter s0/0

GW(config-if)#ip audit MYIDS in


GW(config)#logging trap informational

GW(config)#ip audit po local hostid 10 orgid 1000

GW(config)#ip audit po remote hostid 11 orgid 1000 rmtaddress localaddress

GW(config)#config-register 0×2102



2. Test:

Create alarm system on syslog server to check the alarm information.


GW#ping size 1025

show ip audit all

show ip audit statistics

clear ip audit configuration [k4]

[k1]The maximum number of e-mail receivers, the default is 250

[k2]Send log to director

[k3]Send log to syslog server

[k4]Disable IDS and clear all IDS configurations.

[Report Dead Link] Please leave a comment or send email to report dead links, so that we will update new links within 24 hours.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.