The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Virtual Route Forwarding or Virtual Private Network (VPN) Route Forwarding (VRF), is a mechanism that allows multiple instances of a routing table to exist on a router and work simultaneously. This mechanism allows for network paths to be segregated without using multiple devices, thereby increasing network security and eliminating the need for encryption and authentication. VRFs are generally used to create separate VPNs. Allowing Intrusion Prevention System (IPS) to be configured on a per-VRF basis means global parameters will be shared by multiple VPNs, providing VRF related information on the Security Device Event Exchange (SDEE) and syslog alerts.
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
The Cisco IOS IPS acts as an in-line intrusion detection sensor, watching packets and sessions as they flow through the router and scanning each packet to match any of the Cisco IOS IPS signatures. When Cisco IOS IPS detects suspicious activity, it responds before network security can be compromised and logs the event through Cisco IOS syslog messages or SDEE. The network administrator can configure Cisco IOS IPS to choose the appropriate response to various threats. When packets in a session match a signature, Cisco IOS IPS can take any of the following actions, as appropriate:
Cisco IOS software-based intrusion-prevention capabilities and Cisco IOS firewall are developed with flexibility in mind, so that individual signatures could be disabled in case of false positives. Generally, it is preferable to enable both the firewall and Cisco IOS IPS to support network security policies. However, each of these features may be enabled independently and on different router interfaces.
Each VPN has its own routing and forwarding table in the router, so any customer or site that belongs to a VPN is provided access only to the set of routes contained within that table. Any Provider Edge (PE) router in the MPLS VPN network therefore contains a number of per-VPN routing tables and a global routing table that is used to reach other routers in the service provider network. Effectively, virtual routers are created in a single physical router.
VRF is a Cisco IOS route table instance for connecting a set of sites to a VPN service. A VRF contains a template of a VPN Routing/Forwarding table in a PE router.
The overlapping addresses, usually resulting from the use of private IP addresses in customer networks, are one of the major obstacles to successful deployment of peer-to-peer VPN implementation. The MPLS VPN technology provides a solution to this dilemma.
VRF-lite is a feature that enables a service provider to support two or more VPNs, where IP addresses can be overlapped among the VPNs. VRF Lite uses input interfaces to distinguish routes for different VPNs and forms virtual packet-forwarding tables by associating one or more Layer 3 interfaces with each VRF. Interfaces in a VRF can be physical, such as Ethernet ports, or logical, such as VLAN switched virtual interfaces (SVIs). However, a Layer 3 interface cannot belong to more than one VRF at a time.
Note |
VRF Lite interfaces must be Layer 3 interfaces. |
VRF-lite includes these devices:
With VRF Lite, multiple customers can share one CE, and only one physical link is used between the CE and the PE. The shared CE maintains separate VRF tables for each customer and switches or routes packets for each customer based on its own routing table. VRF Lite extends limited PE functionality to a CE device, giving the CE device the ability to maintain separate VRF tables to extend the privacy and security of a VPN to the branch office.
If VRF is configured on an interface and then IPS is attached, an IPS control block is created as shown in the figure below, with an appropriate name for the VRF instead of the existing default value.VRF support for IPS allows customization of IPS parameters, settings and statistics per VRF interface and customization of IPS signature sets for each VRF user. The IPS VRF code takes care of the VRF support including overlapping addresses.
Figure 1 | IPS in a VRF-to-VRF Scenario |
Virtual Route Forwarding (VRF) is a mechanism that allows multiple instances of a routing table to exist on a router and work simultaneously. This mechanism allows for network paths to be segregated without using multiple devices which increases network security and eliminates the need for encryption and authentication. VRFs are generally used to create separate Virtual Private Networks (VPNs). If VRF is configured on an interface and IPS is attached, an IPS control block is created with the appropriate name for the VRF instead of the existing default value. VRF support for IPS allows customization of IPS parameters, settings and statistics per VRF interface and customization of IPS signature sets for each VRF user. All interfaces share the same global parameters for IPS, but alarms and event log information on the SDEE and syslog alerts carry respective VRF information.
The following steps are used to configure VRF routing and forwarding tables, configuring VRF on an interface and attach IPS to this interface:
Note |
If a global VRF is removed, the IPS configuration on the interfaces belonging to that VRF is cleaned and removed, including any sessions and statistics created on the VRF. The user must reconfigure IPS on the affected interfaces if they are to be used again. |
The following example shows how to enable and verify Cisco IOS IPS on your router:
Router# mkdir flash:/ips5 Create directory filename [ips5]? Created dir flash:/ips5 Router# Router# Router# Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# ip ips name MYIPS Router(config)# ip ips config location flash:/ips5 Router(config)# ip ips signature-category Router(config-ips-category)# category all Router(config-ips-category-action)# retired true Router(config-ips-category-action)# exit Router(config-ips-category)# category ios_ips advanced Router(config-ips-category-action)# retired false Router(config-ips-category-action)# exit Router(config-ips-category)# exit Do you want to accept these changes? [confirm] Router(config)# d *Nov 14 2006 17:16:42 MST: Applying Category configuration to signatures .. Router(config)# Router(config)# do show ip interface brief Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 10.0.20.120 YES NVRAM up up GigabitEthernet0/1 10.12.100.120 YES NVRAM administratively down down NVI0 unassigned NO unset up up Router(config)# Router(config)# interface gigabits 0/0 Router(config-if)# ip ips MYIPS in Router(config-if)# *Nov 14 2006 17:17:07 MST: %IPS-6-ENGINE_BUILDS_STARTED: 17:17:07 MST Nov 14 2006 *Nov 14 2006 17:17:07 MST: %IPS-6-ENGINE_BUILDING: atomic-ip - 3 signatures - 1 of 13 engines *Nov 14 2006 17:17:07 MST: %IPS-6-ENGINE_READY: atomic-ip - build time 0 ms - packets for this engine will be scanned *Nov 14 2006 17:17:07 MST: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 0 ms Router(config-if)# Router(config-if)# ip ips MYIPS out Router(config-if)# Router(config-if)# Router(config-if)#^Z Router# *Nov 14 2006 17:17:23 MST: %SYS-5-CONFIG_I: Configured from console by cisco on console Router# wr Building configuration... [OK] Router# Router# show ip ips signature count Cisco SDF release version S0.0 Signature Micro-Engine: multi-string (INACTIVE) Signature Micro-Engine: service-http (INACTIVE) Signature Micro-Engine: string-tcp (INACTIVE) Signature Micro-Engine: string-udp (INACTIVE) Signature Micro-Engine: state (INACTIVE) Signature Micro-Engine: atomic-ip Total Signatures: 3 Enabled: 0 Compiled: 3 Signature Micro-Engine: string-icmp (INACTIVE) Signature Micro-Engine: service-ftp (INACTIVE) Signature Micro-Engine: service-rpc (INACTIVE) Signature Micro-Engine: service-dns (INACTIVE) Signature Micro-Engine: normalizer (INACTIVE) Signature Micro-Engine: service-smb-advanced (INACTIVE) Signature Micro-Engine: service-msrpc (INACTIVE) Total Signatures: 3 Total Enabled Signatures: 0 Total Retired Signatures: 0 Total Compiled Signatures: 3 Router# Router# copy flash:IOS-S258-CLI-kd.pkg idconf *Nov 14 2006 17:19:47 MST: %IPS-6-ENGINE_BUILDS_STARTED: 17:19:47 MST Nov 14 2006 *Nov 14 2006 17:19:47 MST: %IPS-6-ENGINE_BUILDING: multi-string - 3 signatures - 1 of 13 engines *Nov 14 2006 17:19:47 MST: %IPS-6-ENGINE_READY: multi-string - build time 4 ms - packets for this engine will be scanned *Nov 14 2006 17:19:47 MST: %IPS-6-ENGINE_BUILDING: service-http - 611 signatures - 2 of 13 engines *Nov 14 2006 17:20:00 MST: %IPS-6-ENGINE_READY: service-http - build time 12932 ms - packets for this engine will be scanned *Nov 14 2006 17:20:00 MST: %IPS-6-ENGINE_BUILDING: string-tcp - 864 signatures - 3 of 13 engines *Nov 14 2006 17:20:02 MST: %IPS-6-ENGINE_READY: string-tcp - build time 2692 ms - packets for this engine will be scanned *Nov 14 2006 17:20:02 MST: %IPS-6-ENGINE_BUILDING: string-udp - 74 signatures - 4 of 13 engines *Nov 14 2006 17:20:03 MST: %IPS-6-ENGINE_READY: string-udp - build time 316 ms - packets for this engine will be scanned *Nov 14 2006 17:20:03 MST: %IPS-6-ENGINE_BUILDING: state - 28 signatures - 5 of 13 engines *Nov 14 2006 17:20:03 MST: %IPS-6-ENGINE_READY: state - build time 24 ms - packets for this engine will be scanned *Nov 14 2006 17:20:03 MST: %IPS-6-ENGINE_BUILDING: atomic-ip - 252 signatures - 6 of 13 engines *Nov 14 2006 17:20:03 MST: %IPS-4-META_ENGINE_UNSUPPORTED: atomic-ip 2154:0 - this signature is a component of the unsupported META engine *Nov 14 2006 17:20:03 MST: %IPS-6-ENGINE_READY: atomic-ip - build time 232 ms - packets for this engine will be scanned *Nov 14 2006 17:20:03 MST: %IPS-6-ENGINE_BUILDING: string-icmp - 3 signatures - 7 of 13 e Router# engines *Nov 14 2006 17:20:03 MST: %IPS-6-ENGINE_READY: string-icmp - build time 12 ms - packets for this engine will be scanned *Nov 14 2006 17:20:03 MST: %IPS-6-ENGINE_BUILDING: service-ftp - 3 signatures - 8 of 13 engines *Nov 14 2006 17:20:03 MST: %IPS-6-ENGINE_READY: service-ftp - build time 8 ms - packets for this engine will be scanned *Nov 14 2006 17:20:03 MST: %IPS-6-ENGINE_BUILDING: service-rpc - 75 signatures - 9 of 13 engines *Nov 14 2006 17:20:03 MST: %IPS-6-ENGINE_READY: service-rpc - build time 80 ms - packets for this engine will be scanned *Nov 14 2006 17:20:03 MST: %IPS-6-ENGINE_BUILDING: service-dns - 38 signatures - 10 of 13 engines *Nov 14 2006 17:20:03 MST: %IPS-6-ENGINE_READY: service-dns - build time 20 ms - packets for this engine will be scanned *Nov 14 2006 17:20:03 MST: %IPS-6-ENGINE_BUILDING: normalizer - 9 signatures - 11 of 13 engines *Nov 14 2006 17:20:03 MST: %IPS-6-ENGINE_READY: normalizer - build time 0 ms - packets for this engine will be scanned *Nov 14 2006 17:20:03 MST: %IPS-6-ENGINE_BUILDING: service-msrpc - 22 signatures - 12 of 13 engines *Nov 14 2006 17:20:03 MST: %IPS-6-ENGINE_READY: service-msrpc - build time 8 ms - packets for this engine will be scanned *Nov 14 2006 17:20:03 MST: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 16344 ms Router# Router# Router# show ip ips signature count Cisco SDF release version S258.0 Signature Micro-Engine: multi-string Total Signatures: 3 Enabled: 3 Retired: 3 Signature Micro-Engine: service-http Total Signatures: 611 Enabled: 159 Retired: 428 Compiled: 183 Signature Micro-Engine: string-tcp Total Signatures: 864 Enabled: 414 Retired: 753 Compiled: 111 Signature Micro-Engine: string-udp Total Signatures: 74 Enabled: 1 Retired: 44 Compiled: 30 Signature Micro-Engine: state Total Signatures: 28 Enabled: 16 Retired: 25 Compiled: 3 Signature Micro-Engine: atomic-ip Total Signatures: 252 Enabled: 56 Retired: 148 Compiled: 103 Inactive - invalid params: 1 Signature Micro-Engine: string-icmp Total Signatures: 3 Enabled: 0 Retired: 2 Compiled: 1 Signature Micro-Engine: service-ftp Total Signatures: 3 Enabled: 1 Compiled: 3 Signature Micro-Engine: service-rpc Total Signatures: 75 Enabled: 44 Retired: 44 Compiled: 31 Signature Micro-Engine: service-dns Total Signatures: 38 Enabled: 30 Retired: 5 Compiled: 33 Signature Micro-Engine: normalizer Total Signatures: 9 Enabled: 8 Retired: 5 Compiled: 4 Signature Micro-Engine: service-smb-advanced (INACTIVE) Signature Micro-Engine: service-msrpc Total Signatures: 22 Enabled: 22 Retired: 22
The following example shows a physical interface supporting a VRF forwarding table with IPS enabled on VRF600:
Router(config)# ip vrf VRF600 Router(config-vrf)# rd 100:600 Router(config-vrf)# route-target export 100:600 Router(config-vrf)# route-target import 100:600 Router(config-vrf)# exit Router(config)# interface FastEthernet 0/1 Router(config-subif)# ip vrf forwarding VRF600 Router(config-subif)# ip address 192.168.00.3 192.168.255.225 Router(config-subif)# ip ips ips_policy600 in router(config-subif)# exit router(config-if)# end
The following example shows two physical interfaces supporting two VRF forwarding tables, VRF600 and VRF601, with IPS enabled on only VRF600:
config terminal Router1(config)# ip vrf VRF600 Router1(config-vrf)# rd 100:600 Router1(config-vrf)# route-target export 100:600 Router1(config-vrf)# route-target import 100:600 Router1(config-vrf)# exit Router1(config)# ip vrf VRF601 Router1(config-vrf)# rd 100:601 Router1(config-vrf)# route-target export 100:601 Router1(config-vrf)# route-target import 100:601 Router1(config-vrf)# exit Router1(config)# interface FastEthernet 0/0.600 Router1(config-subif)# encapsulation dot1Q 600 Router1(config-subif)# ip vrf forwarding VRF600 Router1(config-subif)# ip address 192.168.00.0 192.168.255.0 Router1(config-subif)# exit Router1(config)# interface FastEthernet 0/0.601 Router1(config-subif)# encapsulation dot1Q 601 Router1(config-subif)# ip vrf forwarding VRF601 Rrouter1(config-subif)# ip address 192.168.00.0 192.168.255.0 Router1(config-subif)# end config terminal Router2(config)# ip ips name ips_policy600 Router2(config)# ip vrf VRF600 Router2(config-vrf)# rd 100:600 Router2(config-vrf)# route-target export 100:600 Router2(config-vrf)# route-target import 100:600 Router2(config-vrf)# exit Router2(config)# ip vrf VRF601 Router2(config-vrf)# rd 100:601 Router2(config-vrf)# route-target export 100:601 Router2(config-vrf)# route-target import 100:601 Router2(config-vrf)# exit Router2(config)# interface FastEthernet 0/1.600 Router2(config-subif)# encapsulation dot1Q 600 Router2(config-subif)# ip vrf forwarding VRF600 Router2(config-subif)# ip address 192.168.00.0 192.168.255.0 Router2(config-subif)# ip ips ips_policy600 in Router2(config-subif)# exit Router2(config)# interface FastEthernet 0/1.601 Router2(config-subif)# encapsulation dot1Q 601 Router2(config-subif)# ip vrf forwarding VRF601 Router2(config-subif)# ip address 192.168.00.0 192.168.255.0 Router2(config-subif)# end
The following example shows Multiple VRFs configured with IPS and ZBP firewalls:
ip cef ! ip vrf VRF_600 rd 100:110 route-target export 100:1000 route-target import 100:1000 ! ip vrf VRF_601 rd 100:120 route-target export 100:2000 route-target import 100:2000 ! ip ips config location flash:ips5/ retries 1 ip ips name IPS_POLICY_201 ip ips name IPS_POLICY_VRF_600 ip ips name IPS_POLICY_VRF_601 ! ip ips signature-category category all retired true ! crypto key pubkey-chain rsa named-key realm-cisco.pub signature key-string 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16 17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128 B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E 5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35 FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85 50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36 006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE 2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3 F3020301 0001 quit ! class-map type inspect match-any L4-cmti match protocol tcp match protocol udp match protocol icmp ! policy-map type inspect inside201-outside-pmti class type inspect L4-cmti inspect ! policy-map type inspect inside600-outside-pmti class type inspect L4-cmti inspect ! policy-map type inspect inside602-outside-pmti class type inspect L4-cmti inspect ! zone security inside201 zone security inside600 zone security inside601 zone security outside ! zone-pair security inside201-outside source inside201 destination outside service-policy type inspect inside201-outside-pmti ! zone-pair security inside600-outside source inside600 destination outside service-policy type inspect inside600-outside-pmti ! zone-pair security inside601-outside source inside602 destination outside service-policy type inspect inside602-outside-pmti ! interface Loopback0 ip address 10.10.10.4 10.255.255.255 ip router isis ! interface GigabitEthernet0/0 no ip address duplex auto speed auto media-type rj45 no keepalive ! interface GigabitEthernet0/0.201 encapsulation dot1Q 201 ip address 192.168.00.0 192.168.255.0 zone-member security inside201 ip ips myips201 in ip ips myips201 out ! interface GigabitEthernet0/0.600 encapsulation dot1Q 600 ip vrf forwarding VRF_600 ip address 10.0.0.0 10.255.255.255 zone-member security inside600 ip ips IPS_POLICY_VRF_600 in ip ips IPS_POLICY_VRF_600 out ! interface GigabitEthernet0/0.601 encapsulation dot1Q 601 ip vrf forwarding IPS_POLICY_VRF_601 ip address 10.0.0.0 10.255.255.255 zone-member security inside602 ip ips IPS_POLICY_VRF_601 in ip ips IPS_POLICY_VRF_601 out ! ! interface FastEthernet2/0 ip address 10.1.1.14 10.255.255.255 ip router isis duplex auto speed auto mpls ip ! router isis net 10.225.225.225 is-type level-1 ! router bgp 100 no synchronization bgp log-neighbor-changes neighbor 10.10.10.6 remote-as 100 neighbor 10.10.10.6 update-source Loopback0 no auto-summary ! address-family vpnv4 neighbor 10.10.10.6 activate neighbor 10.10.10.6 send-community both exit-address-family ! address-family ipv4 vrf VRF_600 redistribute connected no synchronization exit-address-family ! address-family ipv4 vrf VRF_601 redistribute connected no synchronization exit-address-family
Note |
All VRFs will share the same global IPS configurations, therefore, some show commands which show the information of the global items are shown for every VRF irrespective of whether the event happened on that particular VRF. |
The following is sample output from the show ip ips statisticscommand. The output provides statistics that may not necessarily be the ones that fired on VRF 600.
Router# show ip ips statistics vrf VRF_600
Signature statistics [process switch:fast switch]
signature 5170:1 packets checked: [0:4]
Interfaces configured for ips 4
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created never
Last statistic reset never
TCP reassembly statistics
received 0 packets out-of-order; dropped 0
peak memory usage 0 KB; current usage: 0 KB
peak queue length 0
The following is sample output from the show ip ips interfaces command.
Router# show ip ips interface
Interface Configuration
Interface GigabitEthernet0/0
VRF name: vrf1
Inbound IPS rule is tst
Outgoing IPS rule is not set
The following is sample output from the show ip ips session command.
Router# show ip ips session vrf vrf1
Established Sessions
Session 485EBEE8 (172.16.0.0:10001)=>(172.31.255.255:80) tcp SIS_OPEN
The following is sample output from the clear ip ips statisticscommand.
Router# clear ip ips statistics vrf vrf1 Router# show ip ips stat vrf vrf1 Interfaces configured for ips 1 Session creations since subsystem startup or last reset 0 Current session counts (estab/half-open/terminating) [1:0:0] Maxever session counts (estab/half-open/terminating) [1:0:0] Last session created 00:00:26 Last statistic reset 00:00:01
The following is sample error message output with the VRF name.
%IPS-4-SIGNATURE: Sig:5405 Subsig:0 Sev:100 [192.168.103.1:51129 -> 192.168.3.4:80] VRF:vrf600 RiskRating:100
The SDEE messages have been enhanced to show the VRF name. An example of output from the browser is as follows:
<?xml version="1.0" encoding="UTF-8" standalone="yes" ?> <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope"> <env:Body> <sd:events xmlns:cid="http://www.cisco.com/cids/2003/08/cidee" xmlns:sd="http://example.org/2003/08/sdee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://example.org/2003/08/sdee sdee.xsd http://www.cisco.com/cids/2003/08/cidee cidee.xsd"> <sd:evIdsAlert eventId="11630069224" vendor="Cisco" severity="unknown"> <sd:originator> <sd:hostId>iosfw-28a</sd:hostId> </sd:originator> <sd:time offset="0" timeZone="UTC">1163006922225223338</sd:time> <sd:signature description="" id="5123" version="S4"> <cid:subsigId>0</cid:subsigId> <cid:sigDetails>Host:\x3c250+ chars></cid:sigDetails> </sd:signature> <cid:protocol>tcp</cid:protocol> <cid:riskRatingValue>85</cid:riskRatingValue> <sd:participants> <sd:attacker> <sd:addr>10.1.0.1</sd:addr> <sd:port>10001</sd:port> </sd:attacker> <sd:target> <sd:addr>10.2.0.1</sd:addr> <sd:port>80</sd:port> </sd:target> </sd:participants> <sd:actions></sd:actions> <cid:interface>Gi0/1</cid:interface> <cid:vrf_name>vrf1</cid:vrf_name> </sd:evIdsAlert> </sd:events> </env:Body> </env:Envelope>
The SDEE show commands have been enhanced to include VRF specific information, the following is sample output from the show ip sdee alertscommand:
Router# show ip sdee alerts
Alert storage: 200 alerts using 56000 bytes of memory
SDEE Alerts
SigID Sig Name SrcIP:SrcPort DstIP:DstPort VRF
or Summary Info
1: 5170:1 192.162.4.0:3692 192.162.6.0:80 NONE
2: 5170:1 192.162.4.0:3692 192.162.6.0:80 VRF_600
The following is sample output from the show ip sdee events command.
Router# show ip sdee events
Alert storage: 200 alerts using 56000 bytes of memory
Message storage: 200 messages using 84800 bytes of memory
SDEE Events
Time Type Description
1: 10:25:55 MST Jan 22 2007 ALERT Sig ID 5170:1
2: 10:25:57 MST Jan 22 2007 ALERT Sig ID 5170:1
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Security commands |
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 | Feature Information for VRF Aware Cisco IOS IPS |
Feature Name |
Releases |
Feature Information |
---|---|---|
VRF aware Cisco IOS IPS |
12.4(20)T |
Virtual Route Forwarding or Virtual Private Network (VPN) Route Forwarding (VRF), is a mechanism that allows multiple instances of a routing table to exist on a router and work simultaneously. This mechanism allows for network paths to be segregated without using multiple devices, thereby increasing network security and eliminating the need for encryption and authentication. VRFs are generally used to create separate VPNs. Allowing Intrusion Prevention System (IPS) to be configured on a per-VRF basis means global parameters will be shared by multiple VPNs, providing VRF related information on the Security Device Event Exchange (SDEE) and syslog alerts. The following commands were introduced or modified: clear ip ips statistics, show ip ips |
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.