1.拓扑图：

  参考： 通过google搜索，,sensor接口的MAC地址，可以用service帐号登录IPS，ifconfig -a获得，如下图所示：

2.基本配置：R1： interface FastEthernet0/0  ip address 10.1.13.1 255.255.255.0  no shut ip route 0.0.0.0 0.0.0.0 10.1.13.3R2： interface FastEthernet0/0  ip address 10.1.23.2 255.255.255.0  no shut ip route 0.0.0.0 0.0.0.0 10.1.23.3R3: interface FastEthernet0/0  ip address 10.1.13.3 255.255.255.0  no shut interface FastEthernet0/1  ip address 10.1.23.3 255.255.255.0  no shut3.路由器IP Traffic Export简单配置：①创建流量导出配置文件： ip traffic-export profile test   interface FastEthernet1/0   mac-address 000c.2920.d8d5 <这是IDS的MAC,一定是直连或者同一VLAN> -------mac为接收流量的IPS的sensor接口的mac，可以通过service帐号登录IPS运行ifconfig -a命令获得。②在需要导出流量的接口应用配置文件： interface FastEthernet0/0  ip traffic-export apply test4.IPS的配置：A.确认g0/1接口已经enabled B.将g0/1关联到virtual sensor：C.大量的ping可以在IPS上看到事件： R1#ping 10.1.23.2 repeat 100 Type escape sequence to abort. Sending 100, 100-byte ICMP Echos to 10.1.23.2, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (100/100), round-trip min/avg/max = 4/47/172 ms R1#   evIdsAlert: eventId=1185793501059155079  vendor=Cisco  severity=informational    originator:       hostId: ips4215      appName: sensorApp      appInstanceId: 340    time: 2012年8月19日 上午09时57分50秒  offset=0  timeZone=UTC    signature:   description=ICMP Echo Request  id=2004  version=S1      subsigId: 0    interfaceGroup:     vlan: 0    participants:       attacker:         addr: 10.1.13.1  locality=OUT      target:         addr: 10.1.23.2  locality=OUT    actions:       denyAttackerServicePairRequestedNotPerformed: true    riskRatingValue: 25    interface: ge0_1    protocol: icmp  evIdsAlert: eventId=1185793501059155080  vendor=Cisco  severity=medium    originator:       hostId: ips4215      appName: sensorApp      appInstanceId: 340    time: 2012年8月19日 上午09时57分51秒  offset=0  timeZone=UTC    signature:   description=ICMP Flood  id=2152  version=S1      subsigId: 0    interfaceGroup:     vlan: 0    participants:       attacker:         addr: 10.1.13.1  locality=OUT      target:         addr: 10.1.23.2  locality=OUT    riskRatingValue: 75    interface: ge0_1    protocol: icmp  4.路由器IP Traffic Export其他配置：A.导出双向流量：  ip traffic-export profile test   interface FastEthernet1/0   bidirectional   mac-address 000c.2920.d8d5B.流量过滤：  ip traffic-export profile test   interface FastEthernet1/0   bidirectional  incoming access-list incoming.acl

  outgoing access-list outgoing.acl   mac-address 000c.2920.d8d5B.流量采样：   ip traffic-export profile test   interface FastEthernet1/0   bidirectional   incoming access-list incoming.acl   outgoing access-list outgoing.acl   mac-address 000c.2920.d8d5  incoming sample one-in-every 2

  outgoing sample one-in-every 3