Soluzione CCNA Security: Configure IOS Intrusion Prevention System (IPS) using CLI

Task 1: Enable IOS IPS

Note: Within Packet Tracer, the routers already have the signature files imported and in place. They are the default xml files in flash. For this reason, it is not necessary to configure the public crypto key and complete a manual import of the signature files.

Step 1. Verify network connectivity.
Ping from PC-C to PC-A. The ping should be successful.
Ping from PC-A to PC-C. The ping should be successful.

PC-C
PC>ping 192.168.1.2

Pinging 192.168.1.2 with 32 bytes of data:

Reply from 192.168.1.2: bytes=32 time=2ms TTL=125
Reply from 192.168.1.2: bytes=32 time=6ms TTL=125
Reply from 192.168.1.2: bytes=32 time=6ms TTL=125
Reply from 192.168.1.2: bytes=32 time=5ms TTL=125

Ping statistics for 192.168.1.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 6ms, Average = 4ms

PC-A
PC>ping 192.168.3.2

Pinging 192.168.3.2 with 32 bytes of data:

Reply from 192.168.3.2: bytes=32 time=6ms TTL=125
Reply from 192.168.3.2: bytes=32 time=2ms TTL=125
Reply from 192.168.3.2: bytes=32 time=5ms TTL=125
Reply from 192.168.3.2: bytes=32 time=6ms TTL=125

Ping statistics for 192.168.3.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 6ms, Average = 4ms

Step 2. Create an IOS IPS configuration directory in flash.
On R1, create a directory in flash using the mkdir command. Name the directory ipsdir.

R1
R1>en
Password:
R1#mkdir ipsdir
Create directory filename [ipsdir]?
Created dir flash:ipsdir
R1#

Step 3. Configure the IPS signature storage location.
On R1, configure the IPS signature storage location to be the directory you just created.

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip ips config location ipsdir
R1(config)#

Step 4. Create an IPS rule.
On R1, create an IPS rule name using the ip ips name name command in global configuration mode. Name the IPS rule iosips.

R1(config)#ip ips name iosips
R1(config)#

Step 5. Enable logging.
IOS IPS supports the use of syslog to send event notification. Syslog notification is enabled by default. If logging console is enabled, you see IPS syslog messages.
Enable syslog if it is not enabled.
Use the clock set command from privileged EXEC mode to reset the clock if necessary.
Verify that the timestamp service for logging is enabled on the router using the show run command. Enable the timestamp service if it is not enabled.
Send log messages to the Syslog server at IP address 192.168.1.50.

R1(config)#service timestamps log datetime msec
R1(config)#logging on
R1(config)#logging 192.168.1.50
*mar 01, 04:21:30.2121: SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.50 port 514 started - CLI initiated
R1(config)#ip ips notify log
R1(config)#

Step 6. Configure IOS IPS to use the signature categories.
Retire the all signature category with the retired true command (all signatures within the signature release). Unretire the IOS_IPS Basic category with the retired false command.

R1(config)#ip ips signature-category
R1(config-ips-category)#category all
R1(config-ips-category-action)#retired true
R1(config-ips-category-action)#exit
R1(config-ips-category)#category ios_ips basic
R1(config-ips-category-action)#retired false
R1(config-ips-category-action)#exit
R1(config-ips-category)#exit
Do you want to accept these changes? [confirm]
Applying Category configuration to signatures ...
%IPS-6-ENGINE_BUILDING: atomic-ip - 288 signatures - 6 of 13 engines
%IPS-6-ENGINE_READY: atomic-ip - build time 30 ms - packets for this engine will be scanned

R1(config)#

Step 7. Apply the IPS rule to an interface.
Apply the IPS rule to an interface with the ip ips name direction command in interface configuration mode. Apply the rule outbound on the Fa0/0 interface of R1. After you enable IPS, some log messages will be sent to the console line indicating that the IPS engines are being initialized.
Note: The direction in means that IPS inspects only traffic going into the interface. Similarly, out means only traffic going out the interface.

R1(config)#int fa0/0
R1(config-if)#ip ips iosips out
R1(config-if)#
*mar 01, 04:33:47.3333:  %IPS-6-ENGINE_BUILDS_STARTED:  04:33:47 UTC mar 01 1993
*mar 01, 04:33:47.3333:  %IPS-6-ENGINE_BUILDING: atomic-ip - 3 signatures - 1 of 13 engines
*mar 01, 04:33:47.3333:  %IPS-6-ENGINE_READY: atomic-ip - build time 8 ms - packets for this engine will be scanned
*mar 01, 04:33:47.3333:  %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 8 ms
R1(config-if)#

Task 2: Modify the Signature
Step 1. Change the event-action of a signature.
Un-retire the echo request signature (signature 2004, subsig ID 0), enable it and change the signature action to alert, and drop.

R1(config)#ip ips signature-definition
R1(config-sigdef)#signature 2004 0
R1(config-sigdef-sig)#status
R1(config-sigdef-sig-status)#retired false
R1(config-sigdef-sig-status)#enabled true
R1(config-sigdef-sig-status)#exit
R1(config-sigdef-sig)#engine
R1(config-sigdef-sig-engine)#event-action produce-alert
R1(config-sigdef-sig-engine)#exit
R1(config-sigdef-sig)#exit
R1(config-sigdef)#exit
Do you want to accept these changes? [confirm]
%IPS-6-ENGINE_BUILDS_STARTED:  
%IPS-6-ENGINE_BUILDING: atomic-ip - 303 signatures - 3 of 13 engines
%IPS-6-ENGINE_READY: atomic-ip - build time 480 ms - packets for this engine will be scanned
%IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 648 ms
R1(config)#

Step 2. Use show commands to verify IPS.
Use the show ip ips all command to see an IPS configuration status summary.
To which interfaces and in which direction is the iosips rule applied?

R1#show ip ips all
IPS Signature File Configuration Status
    Configured Config Locations: ipsdir
    Last signature default load time:
    Last signature delta load time:
    Last event action (SEAP) load time: -none-

    General SEAP Config:
    Global Deny Timeout: 3600 seconds
    Global Overrides Status: Enabled
    Global Filters Status: Enabled

IPS Auto Update is not currently configured

IPS Syslog and SDEE Notification Status
    Event notification through syslog is enabled
    Event notification through SDEE is enabled

IPS Signature Status
    Total Active Signatures: 1
    Total Inactive Signatures: 0

IPS Packet Scanning and Interface Status
    IPS Rule Configuration
      IPS name iosips
    IPS fail closed is disabled
    IPS deny-action ips-interface is false
    Fastpath ips is enabled
    Quick run mode is enabled
    Interface Configuration
      Interface FastEthernet0/0
        Inbound IPS rule is not set
        Outgoing IPS rule is iosips

IPS Category CLI Configuration:
    Category all
    Retire: True
    Category ios_ips basic
    Retire: False
R1#

Step 3. Verify that IPS is working properly.
From PC-C, attempt to ping PC-A. Were the pings successful? Why or why not?
From PC-A, attempt to ping PC-C. Were the pings successful? Why or why not?

PC-A
PC>ping 192.168.3.2

Pinging 192.168.3.2 with 32 bytes of data:

Reply from 192.168.3.2: bytes=32 time=3ms TTL=125
Reply from 192.168.3.2: bytes=32 time=2ms TTL=125
Reply from 192.168.3.2: bytes=32 time=6ms TTL=125
Reply from 192.168.3.2: bytes=32 time=6ms TTL=125

Ping statistics for 192.168.3.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 6ms, Average = 4ms

PC>

PC-C
PC>ping 192.168.1.2

Pinging 192.168.1.2 with 32 bytes of data:

Reply from 192.168.1.2: bytes=32 time=3ms TTL=125
Reply from 192.168.1.2: bytes=32 time=2ms TTL=125
Reply from 192.168.1.2: bytes=32 time=6ms TTL=125
Reply from 192.168.1.2: bytes=32 time=2ms TTL=125

Ping statistics for 192.168.1.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 6ms, Average = 3ms

PC>

Step 4. View the Syslog messages.
Click on the Syslog server. Select the Config tab. In the left navigation menu, selectSYSLOG to view the log file.

Soluzione PT Activity 7.6.1: Packet Tracer Skills Integration Challenge

Task 1: Configure and Verify Basic Device Configurations
Step 1. Configure basic commands.

Configure each switch with the following basic commands. Packet Tracer only grades the hostnames and default gateways.
Hostnames
Banner
Enable secret password
Line configurations
Service encryption
Switch default gateways

S1
Switch>en
Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#hostname S1
S1(config)#banner motd #Welcome Authorized Users Unauthorized access prohibited!#
S1(config)#enable secret class
S1(config)#line vty 0 4
S1(config-line)#password cisco
S1(config-line)#login
S1(config-line)#exit
S1(config)#service password-encryption
S1(config)#ip default-gateway 172.17.99.1
S1(config)#

S2
Switch>en
Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#hostname S2
S2(config)#banner motd #Welcome Authorized Users Unauthorized access prohibited!#
S2(config)#enable secret class
S2(config)#line vty 0 4
S2(config-line)#password cisco
S2(config-line)#login
S2(config-line)#exit
S2(config)#service password-encryption
S2(config)#ip default-gateway 172.17.99.1
S2(config)#

S3
Switch>en
Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#hostname S3
S3(config)#banner motd #Welcome Authorized Users Unauthorized access prohibited!#
S3(config)#enable secret class
S3(config)#line vty 0 4
S3(config-line)#password cisco
S3(config-line)#login
S3(config-line)#exit
S3(config)#service password-encryption
S3(config)#ip default-gateway 172.17.99.1
S3(config)#

Step 2. Configure the management VLAN interface on S1, S2, and S3.
Create and enable interface VLAN 99 on each switch. Use the addressing table for address configuration.

S1
S1(config)#int vlan 99
S1(config-if)#ip address 172.17.99.31 255.255.255.0
S1(config-if)#exit
S1(config)#

S2
S2(config)#int vlan 99
S2(config-if)#ip address 172.17.99.32 255.255.255.0
S2(config-if)#exit
S2(config)#

S3
S3(config)#int vlan 99
S3(config-if)#ip address 172.17.99.33 255.255.255.0
S3(config-if)#exit
S3(config)#

Step 3. Check results.
Your completion percentage should be 13%. If not, click Check Results to see which required components are not yet completed.

Task 2: Configure VTP
Step 1. Configure the VTP mode on all three switches.

Configure S1 as the server. Configure S2 and S3 as clients.

S1
S1(config)#vtp mode server
Setting device to VTP SERVER mode.
S1(config)#

S2
S2(config)#vtp mode client
Setting device to VTP CLIENT mode.
S2(config)#

S3
S3(config)#vtp mode client
Setting device to VTP CLIENT mode.
S3(config)#

Step 2. Configure the VTP domain name on all three switches.
Use CCNA as the VTP domain name.

S1
S1(config)#vtp domain CCNA
Changing VTP domain name from NULL to CCNA
S1(config)#

S2
S2(config)#vtp domain CCNA
Changing VTP domain name from NULL to CCNA
S2(config)#

S3
S3(config)#vtp domain CCNA
Changing VTP domain name from NULL to CCNA
S3(config)#

Step 3. Configure the VTP domain password on all three switches.
Use cisco as the VTP domain password.

S1
S1(config)#vtp password cisco
Setting device VLAN database password to cisco
S1(config)#

S2
S2(config)#vtp password cisco
Setting device VLAN database password to cisco
S2(config)#

S3
S3(config)#vtp password cisco
Setting device VLAN database password to cisco
S3(config)#

Step 4. Check results.
Your completion percentage should be 21%. If not, click Check Results to see which required components are not yet completed.

Task 3: Configure Trunking
Step 1. Configure trunking on S1, S2, and S3.

Configure the appropriate interfaces as trunks and assign VLAN 99 as the native VLAN.

S1
S1(config)#interface range f0/1 - f0/5
S1(config-if-range)#switchport mode trunk
S1(config-if-range)#switchport trunk native vlan 99
S1(config-if-range)#no sh
S1(config-if-range)#exit

S2
S2(config)#interface range f0/1 - f0/4
S2(config-if-range)#switchport mode trunk
S2(config-if-range)#switchport trunk native vlan 99
S2(config-if-range)#no sh
S2(config-if-range)#exit
S2(config)#

S3
S3(config)#interface range f0/1 - f0/4
S3(config-if-range)#switchport mode trunk
S3(config-if-range)#switchport trunk native vlan 99
S3(config-if-range)#no sh
S3(config-if-range)#exit
S3(config)#

Step 2. Check results.
Your completion percentage should be 44%. If not, click Check Results to see which required components are not yet completed.

Task 4: Configure VLANs
Step 1. Create the VLANs on S1.

Create and name the following VLANs on S1 only. VTP advertises the new VLANs to S2 and S3.
VLAN 10 Faculty/Staff
VLAN 20 Students
VLAN 88 Wireless(Guest)
VLAN 99 Management&Default

S1
S1(config)#vlan 10
S1(config-vlan)#name Faculty/Staff
S1(config-vlan)#exit
S1(config)#vlan 20
S1(config-vlan)#name Students
S1(config-vlan)#exit
S1(config)#vlan 88
S1(config-vlan)#name Wireless(Guest)
S1(config-vlan)#exit
S1(config)#vlan 99
S1(config-vlan)#name Management&Default
S1(config-vlan)#exit
S1(config)#

Step 2. Verify that VLANs have been sent to S2 and S3.
Use the appropriate commands to verify that S2 and S3 now have the VLANs you created on S1. It may take a few minutes for Packet

Tracer to simulate the VTP advertisements.

S2
S2#sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20
                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24
                                                Gig1/1, Gig1/2
10   Faculty/Staff                    active    
20   Students                         active    
88   Wireless(Guest)                  active    
99   Management&Default               active    
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

S3
S3#sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20
                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24
                                                Gig1/1, Gig1/2
10   Faculty/Staff                    active    
20   Students                         active    
88   Wireless(Guest)                  active    
99   Management&Default               active    
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

Step 3. Check results.
Your completion percentage should be 54%. If not, click Check Results to see which required components are not yet completed.

Task 5: Assign VLANs to Ports
Step 1. Assign VLANs to access ports on S2 and S3.

Assign the PC access ports to VLANs:
VLAN 10: PC1
VLAN 20: PC2
Assign the wireless router access ports to VLAN 88.

S2
S2(config)#int fa 0/11
S2(config-if)#switchport mode access
S2(config-if)#switchport access vlan 10
S2(config-if)#int fa 0/18
S2(config-if)#switchport mode access
S2(config-if)#switchport access vlan 20
S2(config-if)#int fa 0/7
S2(config-if)#switchport mode access
S2(config-if)#switchport access vlan 88
S2(config-if)#exit
S2(config)#

S3
S3(config)#int fa 0/7
S3(config-if)#switchport mode access
S3(config-if)#switchport access vlan 88
S3(config-if)#exit
S3(config)#

Step 2. Verify VLAN Implementation.
Use the appropriate commands to verify your VLAN implementation.

S2#sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/5, Fa0/6, Fa0/8, Fa0/9
                                                Fa0/10, Fa0/12, Fa0/13, Fa0/14
                                                Fa0/15, Fa0/16, Fa0/17, Fa0/19
                                                Fa0/20, Fa0/21, Fa0/22, Fa0/23
                                                Fa0/24, Gig1/1, Gig1/2
10   Faculty/Staff                    active    Fa0/11
20   Students                         active    Fa0/18
88   Wireless(Guest)                  active    Fa0/7
99   Management&Default               active    
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

S3#sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/5, Fa0/6, Fa0/8, Fa0/9
                                                Fa0/10, Fa0/11, Fa0/12, Fa0/13
                                                Fa0/14, Fa0/15, Fa0/16, Fa0/17
                                                Fa0/18, Fa0/19, Fa0/20, Fa0/21
                                                Fa0/22, Fa0/23, Fa0/24, Gig1/1
                                                Gig1/2
10   Faculty/Staff                    active    
20   Students                         active    
88   Wireless(Guest)                  active    Fa0/7
99   Management&Default               active    
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

Step 3. Check results.
Your completion percentage should be 61%. If not, click Check Results to see which required components are not yet completed.

Task 6: Configure STP
Step 1. Ensure that S1 is the root bridge for all spanning tree instances.
Use 4096 priority.

S1
S1(config)#spanning-tree vlan 1,10,20,88,99 priority 4096

Step 2. Verify that S1 is the root bridge.

S1#sh spanning-tree
VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    4097
             Address     0040.0B60.D3DB
             This bridge is the root
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    4097  (priority 4096 sys-id-ext 1)
             Address     0040.0B60.D3DB
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  20

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1            Desg FWD 19        128.1    P2p
Fa0/2            Desg FWD 19        128.2    P2p
Fa0/3            Desg FWD 19        128.3    P2p
Fa0/4            Desg FWD 19        128.4    P2p
Fa0/5            Desg FWD 19        128.5    P2p

VLAN0010
  Spanning tree enabled protocol ieee
  Root ID    Priority    4106
             Address     0040.0B60.D3DB
             This bridge is the root
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    4106  (priority 4096 sys-id-ext 10)
             Address     0040.0B60.D3DB
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  20

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1            Desg FWD 19        128.1    P2p
Fa0/2            Desg FWD 19        128.2    P2p
Fa0/3            Desg FWD 19        128.3    P2p
Fa0/4            Desg FWD 19        128.4    P2p
Fa0/5            Desg FWD 19        128.5    P2p

VLAN0020
  Spanning tree enabled protocol ieee
  Root ID    Priority    4116
             Address     0040.0B60.D3DB
             This bridge is the root
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    4116  (priority 4096 sys-id-ext 20)
             Address     0040.0B60.D3DB
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  20

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1            Desg FWD 19        128.1    P2p
Fa0/2            Desg FWD 19        128.2    P2p
Fa0/3            Desg FWD 19        128.3    P2p
Fa0/4            Desg FWD 19        128.4    P2p
Fa0/5            Desg FWD 19        128.5    P2p

VLAN0088
  Spanning tree enabled protocol ieee
  Root ID    Priority    4184
             Address     0040.0B60.D3DB
             This bridge is the root
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    4184  (priority 4096 sys-id-ext 88)
             Address     0040.0B60.D3DB
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  20

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1            Desg FWD 19        128.1    P2p
Fa0/2            Desg FWD 19        128.2    P2p
Fa0/3            Desg FWD 19        128.3    P2p
Fa0/4            Desg FWD 19        128.4    P2p
Fa0/5            Desg FWD 19        128.5    P2p

VLAN0099
  Spanning tree enabled protocol ieee
  Root ID    Priority    4195
             Address     0040.0B60.D3DB
             This bridge is the root
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    4195  (priority 4096 sys-id-ext 99)
             Address     0040.0B60.D3DB
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  20

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1            Desg FWD 19        128.1    P2p
Fa0/2            Desg FWD 19        128.2    P2p
Fa0/3            Desg FWD 19        128.3    P2p
Fa0/4            Desg FWD 19        128.4    P2p
Fa0/5            Desg FWD 19        128.5    P2p

Step 3. Check results.
Your completion percentage should be 66%. If not, click Check Results to see which required components are not yet completed.

Task 7: Configure Router-on-a-Stick Inter-VLAN Routing
Step 1. Configure subinterfaces.

Configure the Fa0/1 subinterfaces on R1 using the information from the addressing table.

R1
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#interface fa 0/1.10
R1(config-subif)#encapsulation dot1Q 10
R1(config-subif)#ip address 172.17.10.1 255.255.255.0
R1(config-subif)#exit
R1(config)#interface fa 0/1.20
R1(config-subif)#encapsulation dot1Q 20
R1(config-subif)#ip address 172.17.20.1 255.255.255.0
R1(config-subif)#exit
R1(config)#interface fa0/1.88
R1(config-subif)#encapsulation dot1Q 88
R1(config-subif)#ip address 172.17.88.1 255.255.255.0
R1(config-subif)#exit
R1(config)#interface fa0/1.99
R1(config-subif)#encapsulation dot1Q 99 native
R1(config-subif)#ip address 172.17.99.1 255.255.255.0
R1(config-subif)#exit

Step 2. Check results.
Your completion percentage should be 79%. If not, click Check Results to see which required components are not yet completed.

Task 8: Configure Wireless Connectivity
Step 1. Configure IP Addressing for WRS2 and WRS3.

Configure LAN settings and then static addressing on the Internet interfaces for both WRS2 and WRS3 using the addresses from the topology.

Note: A bug in Packet Tracer may prevent you from assigning the static IP address first. A workaround for this issue is to configure the LAN settings first under Network Setup. Save the settings. Then configure the static IP information under Internet Connection Type and save settings again.

Step 2. Configure wireless network settings.
The SSIDs for the routers are WRS2_LAN and WRS3_LAN, respectively.
The WEP for both is 12345ABCDE.

Step 3. Configure the wireless routers for remote access.
Configure the administration password as cisco123.
Enable remote management.

Step 4. Configure PC3 and PC4 to access the network using DHCP.
PC3 connects to the WRS2_LAN, and PC4 connects to the WRS3_LAN.

Nagios, Nconf e Nrpe su Debian/Ubuntu parte 3/3

Configurazione NRPE

Configurazione nella macchina remota:
Creare un nuovo utente nagios e assegnare una password.
/usr/sbin/useradd nagios
passwd nagios

Download e estrai nagios plugins
wget https://www.nagios-plugins.org/download/nagios-plugins-1.5.tar.gz

apt-get install libssl-dev
tar zxvf nagios-plugins-1.5.tar.gz
cd nagios-plugins-1.5

Compila e installa il plugins.
./configure --with-nagios-user=nagios --with-nagios-group=nagios
make
make install

I permessi al plugin hanno bisogno di essere fixati, quindi eseguire questi comandi.
chown nagios.nagios /usr/local/nagios
chown -R nagios.nagios /usr/local/nagios/libexec

Installa il demone NRPE come servizio su xinetd.
apt-get install xinetd

wget http://sourceforge.net/projects/nagios/files/nrpe-2.x/nrpe-2.15/nrpe-2.15.tar.gz
tar zxvf nrpe-2.15.tar.gz
cd nrpe-2.15

./configure --with-ssl=/usr/bin/openssl --with-ssl-lib=/usr/lib/i386-linux-gnu/
make all

Per gli utenti 64bit:
ln -s /usr/lib/x86_64-linux-gnu/libssl.so /usr/lib/libssl.so
./configure
make all

Installa il plugin NRPE (per testare), daemon, e gli esempi del file daemon config.
make install-plugin
make install-daemon
make install-daemon-config

Installa il servizio NRPE daemon su xinetd.
make install-xinetd

Edita il file /etc/xinetd.d/nrpe e aggiungi l'indirizzo IP del server dove è installato Nagios nella sezione only_from.
only_from = 127.0.0.1 <nagios_ip_address>

Salva ed esci
:wq

Aggiungi questa riga per il daemon NRPE sul file /etc/services
nrpe 5666/tcp # NRPE

Salva ed esci
:wq

Riavvia il servizio xinetd
service xinetd restart

Test NRPE localmente
Assicurarsi che NRPE daemon sia funzionante sotto xinetd
netstat -at | grep nrpe

L'output dovrebbe essere qualcosa del genere:
tcp 0 0 *:nrpe *:* LISTEN

Configuration in Nagios Machine:
Installa NRPE plugin nella macchina dove si trova nagios
wget http://sourceforge.net/projects/nagios/files/nrpe-2.x/nrpe-2.15/nrpe-2.15.tar.gz
tar zxvf nrpe-2.15.tar.gz
cd nrpe-2.15

./configure --with-ssl=/usr/bin/openssl --with-ssl-lib=/usr/lib/i386-linux-gnu/
make all
make install-plugin

per gli utenti 64bit:
ln -s /usr/lib/x86_64-linux-gnu/libssl.so /usr/lib/libssl.so
./configure
make all
make install-plugin

Provare la comunicazione tra la macchina host e la macchina remota.
/usr/local/nagios/libexec/check_nrpe -H <ip_address_remote_machine>

L'output visualizzato dovrebbe essere tipo questo:
NRPE v2.15

Configurare Nconf con i comandi NRPE (alcuni di essi)
Nel file /usr/local/nagios/etc/nrpe.cfg è possibile vedere queste linee:

#Check current users
command[check_users]=/usr/local/nagios/libexec/check_users -w 5 -c 10      

#Current Load
command[check_load]=/usr/local/nagios/libexec/check_load -w 15,10,5 -c 30,25,20

#Root Partition
command[check_sda1]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /dev/sda1

#Zombie Processes
command[check_zombie_procs]=/usr/local/nagios/libexec/check_procs -w 5 -c 10 -s Z

#Total Processes
command[check_total_procs]=/usr/local/nagios/libexec/check_procs -w 150 -c 200

#Swap Usage
command[check_remote_swap]=/usr/local/nagios/libexec/check_swap -w 70% -c 90%

Prima di usare check_disk assicurarsi du avere il giusto percorso di /dev/xxx come nell'esempio:

df -h
Filesystem      Size  Used Avail Use% Mounted on
/dev/sda1       109G   18G   86G  17% /

Configurare Nconf per usare NRPE:
Nel menù Nconf cliccare su ADD nell'opzione checkcommands e scrivere

:

check command name: check_users
default service name: Check Users
check command line: $USER1$/check_nrpe -H $HOSTADDRESS$ -c check_users

Default service template: generic_service

Poi cliccare su submit.

Ora il comando è pronto per essere aggiunto come servizio in una delle macchine da monitorare.

 

Nagios, Nconf e Nrpe su Debian/Ubuntu parte 2/3

Passiamo all'installazione e configurazione di nconf 1.3.0

spostarti sulla directory /var/www

cd /var/www
wget http://sourceforge.net/projects/nconf/files/nconf/1.3.0-0/nconf-1.3.0-0.tgz
tar zxvf nconf-1.3.0-0.tgz

cd /var/www/nconf
chmod 777 config/
chmod 777 output/
chmod 777 static_cfg/
chmod 777 temp/

ora dal browser digitare:

http://indirizzo_ip/nconf

Iniziare la configurazione di Nconf

inserire i dati del database

Path di Nconf: /var/www/nconf

path di Nagios: /usr/local/nagios/bin/nagios

per una maggiore sicurezza abilitate auth_enabled ed inserite una password.

Prima di cliccare su finish eliminare di seguenti files:

rm -rf INSTALL
rm -rf UPDATE
rm INSTALL.php
rm UPDATE.php

ora non resta che cliccare su finish ad inserire username e password
username: admin
password: quella che avete scelto

Bug: anche nconf ha un bug. Per risorverlo da questo website scaricate la patch:
http://forum.nconf.org/viewtopic.php?f=17&t=872#p3050

nconf-1.3.0-0_not_used_advanced_services_wont_be_written.patch.zip

unzip nconf-1.3.0-0_not_used_advanced_services_wont_be_written.patch.zip
cp nconf-1.3.0-0_not_used_advanced_services_wont_be_written.patch /var/www/nconf
patch -p0 --verbose < nconf-1.3.0-0_not_used_advanced_services_wont_be_written.patch

Hmm…  Looks like a unified diff to me…
The text leading up to this was:
————————–
|— bin/lib/NConf/ExportNagios.pm.orig    2011-12-24 13:57:38.620626845 +0100
|+++ bin/lib/NConf/ExportNagios.pm    2011-12-24 14:02:16.870751718 +0100
————————–
Patching file bin/lib/NConf/ExportNagios.pm using Plan A…
Hunk #1 succeeded at 1014.
Hunk #2 succeeded at 1078.
Hunk #3 succeeded at 1111.
done

ora copiare nagios.cfg in /var/www/nconf/static_cfg
prima creare una copia di backup di nagios.cfg

cp /usr/local/nagios/etc/nagios.cfg /usr/local/nagios/etc/nagios.cfg.orig
cp /usr/local/nagios/etc/nagios.cfg /var/www/nconf/static_cfg/

editare il file nconf.cfg in /var/www/nconf/static_cfg
vim nagios.cfg

commentare tutti i cfg_file e cfg_dir ed inserire questi:

cfg_dir=/usr/local/nagios/etc/global
cfg_dir=/usr/local/nagios/etc/Default_collector

salvare ed uscire:
:wq

Ora impostare i permessi su etc e nagios.log
chmod 777 /usr/local/nagios/var/nagios.log
chmod -R 777 /usr/local/nagios/etc/

altro bug di nconf:

Aggiungere la riga "define('CHECK_STATIC_SYNTAX', 0);" al file /config/nconf.php

salvare ed uscire:
:wq

poi copiare i loghi delle immagini:

cp -R /var/www/nconf/img /usr/local/nagios/share/images

Configurare il Deploy automatico su nagios:

aprire il file /var/www/nconf/config/deployment.ini
modificare le seguenti linee come scritto qui:

vim /var/www/nconf/config/deployment.ini

;; LOCAL deployment ;;

[extract config]
type        = local
source_file = "/var/www/nconf/output/NagiosConfig.tgz"
target_file = "/tmp/"
action      = extract

[copy collector config]
type        = local
source_file = "/tmp/Default_collector/"
target_file = "/usr/local/nagios/etc/Default_collector/"
action      = copy

[copy global config]
type        = local
source_file = "/tmp/global/"
target_file = "/usr/local/nagios/etc/global/"
action      = copy

[copy nagios.cfg]
type        = local
source_file = "/tmp/static_cfg/nagios.cfg"
target_file = "/usr/local/nagios/etc/nagios.cfg"
action      = copy
reload_command = "echo password | sudo /etc/init.d/nagios reload"

Salvare ed uscire:
:wq

il reload di nagios deve essere fatto da super utente, quindi la mia soluzione prevede  "echo password | sudo /etc/init.d/nagios reload"

Ora Nconf è configurato per interagire con Nagios.