ISCW – Course 1
Page Type
Introduction
exercise
The title of this exercise is “Removing Cable Modem and CPE Entries
from the CMTS by Configuring the Cisco CMTS Static CPE Override.” The
Cable Modem Termination System (CMTS) Dynamic Host Configuration
Protocol (DHCP) server dynamically assigns Internet Protocol (IP)
addresses to requesting cable modems, for data/voice communication
sessions between the CMTS headend and the subscriber. The Customer
Premise Equipment (CPE) devices receive a DHCP-assigned IP address
from the CMTS along with a MAC address that is configured behind the
cable modem with a service ID (SID), and assigned to the IP address.
However, various restrictions exist for CPE devices; one, in particular, is
that:

An original CPE device (with the original MAC address and SID) is
not allowed behind a different cable modem with the original IP
address. If this restriction were not in place, the original cable
modem (with the original IP address and SID) would experience
interrupted service.
The CPE Override is a feature that can be configured by a Cisco-trained,
field service technician, for the purpose of correcting an original CPE
device (with the original MAC address and SID) from supporting a second
SID or IP address through a second cable modem.
To do so, a Cisco-trained field service technician will enable the Cisco
CMTS Static CPE Override feature, which is disabled by default. The
Cisco-trained field service technician take a laptop onsite and execute the
‘cable submgmt default’ command statement to assume an existing IP
address and service ID (SID) behind a cable modem. In this exercise, a
Cisco uBR10012 router is being used.
This procedure will ensure that the original CPE device reclaims its IP
address using DHCP.
Step 1
The Cisco-trained field service technician and the ‘cable submgmt default’
command statement will accomplish the following tasks:
1. The original CPE device will continue to receive service, but will be
assigned a static IP address from the Cisco CMTS
2. The newly-assigned static IP address will override the DHCPassigned IP address without first clearing the DHCP CPE device
from the CMTS routing tables
3. The original CPE device will automatically change from ‘dhcp cpe’
to ‘static cpe’ in the CMTS host routing tables, and the CPE device
will continue to receive service with the same SID
4. Additional CPE devices will be able to share the same IP address
and SID as the original CPE device
Enable privileged EXEC mode and enter a password, if prompted
Step 2
Command statement:
Router> enable
Enter the Cisco global configuration mode, to configure terminal
Command statement:
Router# config t
Step 3
Enable the Cisco CMTS Static CPE Override feature behind the
subscriber’s cable modem.
Command statement:
Router(config)# cable submgmt default active
Step 4
Step 5
This will change the subscriber’s CPE device from ‘dhcp cpe’ to ‘static
cpe’ in the CMTS host routing tables
The Cisco-trained field technician would enable a filter group ID (0-1024)
to be applied for the CM or CPE, downstream or upstream filter. This
causes one or more temporary CPE devices behind the subscriber's cable
modem to operate within the cable modem's downstream or upstream
filter group.
Command statement:
Router(config)# cable submgmt default filter-group {cm | cpe}
{downstream | upstream} group-id
Set the default to true (the default value), to specify that the CMTS is to
learn the IP addresses for the CPE devices behind the CM, up to the
value specified by the MAX-CPE parameter. The CMTS will learn the IP
addresses by monitoring the traffic sent by the CPE devices, and the first
CPE devices to transmit traffic will be the first CPE devices to be learned.
This will enable one or more temporary CPE devices behind a
subscriber's cable modem to learn and operate within the routing table
defined on the Cisco CMTS.
Step 6
Step 7
Step 8
Step 9
Command statement:
Router(config)# cable submgmt default learnable
The Cisco-trained field technician will then set the maximum number of
CPE devices (0 to 1024; shown after the ‘max-cpe’ parameter in the
command statement) that will be allowed behind a subscriber's cable
modem. And, of course, each device will inherit the SID settings as
defined by the subscriber's current SID.
Command statement:
Router(config)# cable submgmt default max-cpe 6
Next, the Cisco-trained field technician must configure a specified
interface in interface configuration mode. The subslot is required syntax
for the Cisco uBR10012 router, but is not used for the Cisco uBR7246VXR
or Cisco uBR7100 series routers.
Command statement:
Router(config)# interface 8/1/0
Then, the Cisco-trained field technician must set a primary or secondary
IP address for a CPE device, and use the ‘ip address ip-address mask
[secondary]’ command statement in interface configuration mode. The IP
address is the static IP address for the CPE device, and [secondary] as an
optional parameter would specify that the configured address is a
secondary IP address. As with other command statements in this
exercise, use no form of the command to remove or disable the
configuration setting.
Command statement:
Router(config-if)# ip address 131.109.2.8 255.255.255.0
Once steps 1 through 8 are completed, the Cisco-trained service
Step 10
Step 11
technician may need to conduct onsite CPE troubleshooting based on the
objective of ensuring that cable modem and CPE entries are removed
from the display, when executing the ‘show cable modem’ command
statement.
Next, the Cisco-trained service technician executes the Ctrl^z command
statement to return to global configuration mode.
Router(config-if)# Ctrl^z
Then, the Cisco-trained service technician needs to:



Step 12
Step 13
disable Static CPE override
return the on-site CPE device(s) and cable modem to their original
DHCP state (dynamic IP address with associated SID); and,
clear the CPE cable modem host from the Cisco router's internal
address tables in privileged EXEC mode.
Command statement:
Router(config)# no cable submgmt default
-orRouter(config)# clear cable host
Once the work is completed, the Cisco-trained service technician will
return the prompt to privileged EXEC mode
Command statement:
EXIT
Then, execute a proper Telnet disconnection from the Cisco router.
Command statement:
QUIT
ISCW – Course 2
Page Type
Introduction
Step
exercise
Configuring MPLS on a Frame Mode Interface
In global configuration mode, Enable MPLS globally, on the router:
Router(config)# mpls ip
Step
Step
Step
While MPLS is enabled by default, the global ‘mpls ip’ command reenables it.
Move to interface configuration mode for the frame mode interface that
you want to configure; let’s use interface FastEthernet 0/0.
Router(config)# interface fastethernet 0/0
In interface configuration mode, enable MPLS on the specified interface:
Router(config-if)# mpls ip
At this point TDP, LDP or both, can be enable on the frame mode
interface. First, to enable TDP (Tag Distribution Protocol) on this interface,
enter the following Cisco command statement:
Router(config-if)# mpls label protocol tdp
TDP is a Cisco proprietary protocol, and Cisco is changed from TDP to a
fully compliant LDP (Label Distribution Protocol). LDP is the default
Step
Step
protocol on Cisco IOS 12.4(3) and later. TDP is the default protocol on
older releases.
Then, to enable LDP on the frame mode interface, enter the following
Cisco command statement:
Router(config-if)# mpls label protocol ldp
To enable both TDP and LDP on this interface, enter the following Cisco
command statement:
Router(config-if)# mpls label protocol both
Step
Step
Step
Step
Step
ISCW – Course 3
Page Type
Introduction
Step
exercise
Create a Crypto Configuration for the Cisco IOS Router
In this intermediate network, we want to create a crypto configuration and
define a VPN tunnel with IPSec-encapsulated GRE between Router 3 and
Router4.
We will need to configure each router. We start on Router3, in
configuration mode, and enable ‘crypto’ with ISAKMP using the following
Cisco command statement:
Step
Router3(config)# crypto isakmp enable
Next, identify the hostname:
Step
Router3(config)# crypto isakmp identity hostname
Define an ISAKMP numbered policy with encryption algorithm and RSA
encryption key authentication mode.
Step
Router3(config)# crypto isakmp policy 1
Router3(config-isakmp)# authentication rsa-encr
Next, create ‘permit’ access list 131 to permit GRE host 10.1.1.1 and host
10.1.1.2 traffic. The access-list defines the traffic that has to be protected.
This ACL is only allowed to have one entry for manual IPSec:
Step
Step
Router3(config)# access-list 131 permit gre host 10.1.1.1 host 10.1.1.2
Define a transform set, which is a Cisco abstraction for a certain
combination of protocols to be applied to a particular conduit, and change
the mode to ‘transport.’
Router3(config)# crypto ipsec transform-set test esp-des esp-sha-hmac
Router3(cfg-crypto-trans)# mode transport
Router3(cfg-crypto-trans)# exit
Router3(config)#
Create a crypto map named ‘XYZ,’ configuring IP and IPSec-ISAKMP
mode. The map set's sequence number is 10, which is used to rank
multiple entries within one crypto map set—so that—the lower the
sequence number, the higher the priority
Step
Step
Step
Router3(config)# crypto map XYZ 10 ip
Router3(config)# crypto map XYZ 10 ipsec-is
Next, enable the new crypto map by configuring a peer and a valid access
list. Match access list 131 (as created earlier in this exercise), and
associate the access with the two peers.
Router3(config-crypto-map)# set transform-set test
Router3(config-crypto-map)# match address 131
Router3(config-crypto-map)# set peer 10.1.1.2
Router3(config-crypto-map)#
Router3(config)# access-list 131 permit gre host 10.1.1.1 host 10.1.1.2
Next, Create the actual GRE tunnel interface through which traffic will be
transported to the endpoint. The peer and the physical interface through
which the tunnel endpoint should be bound needs to be specified:
Router3(config)# interface Tunnel0
Apply the crypto map to the physical interface on which tunnel-associated
traffic will be going out:
Router3(config-if)# crypto map XYZ
Router3(config)# interface ethernet 1/0
Router3(config-if)# crypto map XYZ
Step
Step
Step
Step
Step
Step
ISCW - Course 4
Page Type
Introduction
Step
Step
Step
exercise
Set up accounting to record all start and stop times for EXEC processes
and network processes on an ACS server.
In global configuration mode, identify the TACACS+ server whose IP
address is 133.15.17.201 using a pre-shared key of future123key:
Router1(config)# tacacs-server host 133.15.17.201
Router1(config)# tacacs-server key future123key
Set up the router to time-stamp logging and debug entries using local
time; for tracking and debugging purposes. Also record debug times to the
millisecond.
Router1(config)# service timestamps debug datetime localtime msec
Router1(config)# service timestamps log datetime localtime
Set up accounting to record all start and stop times for EXEC processes
and network processes on the ACS server:
Router1(config)# aaa accounting exec start-stop tacacs+
Router1(config)# aaa accounting network start-stop tacacs+
Step
Step
Step
Step
Step
Step
Step
Step
ISCW – Course 5
Page Type
Introduction
Step
Step
Step
Step
Step
Step
exercise
Update the bogon filter as recommended in the Cisco AutoSecure
documentation, and reapply the filter to the device—using the command
line interface (CLI) rather than the Router and Security Device Manager
(SDM) to make the desired changes to the device or devices
Determine which bogon to remove, then enter enable mode, then config
mode.
Router>enable
Password:
Router#config t
Router(config)#
Enter the following set of Cisco command statements to update the bogon
filter.
Router(config)#ip access-list extended autosec_complete_bogon
Router(config-ext-nacl)#no deny ip 71.0.0.0 0.255.255.255 any
Router(config-ext-nacl)#exit
Router(config)# ip autosec_iana_reserved_block
Router(config-ext-nacl)#no deny ip 71.0.0.0 0.255.255.255 any
Router(config-ext-nacl)#exit
Router(config)#
The alternative to updating the bogon filter is the delete the bogon filter,
altogether. This process can also be performed at the command line
interface. To do so, enter enable mode, then config mode.
Router>enable
Password:
Router#config t
Router(config)#
Enter interface config mode for the interface on which the bogon filter is
applied.
Router(config)#interface Serial0/0
Router(config-if)#
Remove the bogon filter from the interface (using the appropriate accesslist name)
Router(config-if)#no ip access-group autosec_complete_bogon in
(Optional) Remove the bogon filter from the router configuration to prevent
the inadvertent reapplication of the bogon filter in the future.
Router(config-if)#exit
Router(config)#no ip access-list extended autosec_complete_bogon
Router(config)#no ip access-list extended autosec_iana_reserved_block
Step
Exit config mode. Save the configuration to memory.
Router(config)#exit
Router#copy running-config startup-config
Step
Step
Step
Step
Page Type
Introduction
Step
Step
Step
exercise
Configure an Access List to ‘Deny” an IP Host Address
Add the “?” to the end of the Cisco ‘access-list’ command statement, to
display the complete range of choices for access list numbers available,
for filtering a network.
RouterA(config)#access-list ?
<1-99>
IP standard access list
<100-199>
IP extended access list
<200-299>
Protocol type-code access list
<300-399>
DECnet access list
<400-499>
XNS standard access list
<500-599>
XNS extended access list
<600-699>
Appletalk access list
<700-799>
48-bit MAC address access list
<800-899>
IPX standard access list
<900-999>
IPX extended access list
<1000-1099>
IPX SAP access list
<1100-1199>
Extended 48-bit MAC address access list
<1200-1299>
IPX summary address access list
Use IP standard access lists ‘1-99’ and create access- list number
’10.’ Use the “?” to display available options, methods or
parameters for this command.
RouterA(config)#access-list 10 ?
deny Specify packets to reject
permit Specify packets to forward
From the options in the previous step, let’s make this access list a ‘deny’
access list. Then, let’s ask what our options are for creating a ‘deny’
access list 10.
RouterA(config)#access-list 10 deny ?
Hostname or A.B.C.D
Address to match
any
Any source host
host
A single host address
Step
While the ‘any’ command option would allow us to deny all source host
addresses, the ‘Hostname or A.B.C.D’ and ‘host’ command options allow
us to specify an IP host address.
Create a ‘deny’ access-list 10 for host 161.15.29.1
RouterA(config)# access-list 10 deny host 161.15.29.1
- OR RouterA(config)# access-list 10 deny 161.15.29.1
This command tells the router to deny any packets from IP host address
161.15.29.1. The word ‘host,’ in this command can also be omitted as it is
the default.
Step
Step
Step
Step
Step
Step
Step
Page Type
Introduction
Step
Step
exercise
Configure an Extended Access List
Type in the ‘access-list ?’ command statement to display the available
access lists.
RouterA(config)# access-list ?
<1-99>
IP standard access list
<100-199>
IP extended access list
<200-299>
Protocol type-code access list
<300-399>
DECnet access list
<400-499>
XNS standard access list
<500-599>
XNS extended access list
<600-699>
Appletalk access list
<700-799>
48-bit MAC address access list
<800-899>
IPX standard access list
<900-999>
IPX extended access list
<1000-1099>
IPX SAP access list
<1100-1199>
Extended 48-bit MAC address access list
<1200-1299>
IPX summary address access list
Use IP standard access lists ‘100-199’ and create access- list
number ’120.’ Use the “?” to display available options, methods or
parameters for this command.
RouterA(config)# access-list 10 ?
deny
Specify packets to reject
permit
Specify packets to forward
RouterA(config)# access-list 120 ?
deny
Specify packet
dynamic Specify a DYNAMIC list of PERMITs or DENYs
permit
Specify packets to forward
Step
Notice that the command options are different for this list than for access
lists ‘1-99.’ The ‘dynamic’ command option exists for access lists ‘100199.’
Also, when we query on the ‘deny’ command option, access lists ‘100-199’
provide a different set of options.
RouterA(config)#
<0-255>
eigrp
gre
icmp
igmp
igrp
ip
access-list 120 deny ?
An IP protocol number
Cisco's EIGRP routing protocol
Cisco's GRE tunneling
Internet Control Message Protocol
Internet Gateway Message Protocol
Cisco's IGRP routing protocol
Any Internet Protocol
ipinip
nos
ospf
tcp
udp
Step
Step
IP in IP tunneling
KA9Q NOS compatible IP over IP tunneling
OSPF routing protocol
Transmission Control Protocol
User Datagram Protocol
Next, let’s choose a range of IP address hosts, for our extended ACL
(Access Control List). Let’s select the ‘any’ command option and query on
other command options.
RouterA(config)# access-list 120 deny tcp any ?
A.B.C.D
Destination address
any
Any destination host
eq
Match only packets on a given port number
gt
Match only packets with a greater port number
host
A single destination host
lt
Match only packets with a lower port number
neq
Match only packets not on a given port number
range
Match only packets in the range of port numbers
Using the 161.15.29.1 host address, we want to look at two more queries,
for command option. First:
RouterA(config)# access-list 120 deny tcp any host 161.15.29.1?
eq
Match only packets on a given port number
established Match established connections
fragments
Check fragments
gt
Match only packets with a greater port number
log
Log matches against this entry
log-input
Log matches against this entry, including input interface
lt
Match only packets with a lower port number
neq
Match only packets not on a given port number
precedence Match packets with given precedence value
range
Match only packets in the range of port numbers
tos
Match packets with given TOS value
We want to filter traffic for a specific port number. Let’s select the ‘eq’
command option and query once more for other command options:
RouterA(config)# access-list 120 deny tcp any host 161.15.29.1 eq ?
<0-65535> Port number
bgp
Border Gateway Protocol (179)
chargen
Character generator (19)
cmd
Remote commands (rcmd,514)
daytime
Daytime (13)
discard
Discard (9)
domain
Domain Name Service (53)
echo
Echo (7)
exec
Exec (rsh,512)
finger
Finger (79)
ftp File
Transfer Protocol (21)
gopher
Gopher (70)
hostname
NIC hostname server (101)
ident
Ident Protocol (113)
irc
Internet Relay Chat (194)
klogin
Kerberos login (543)
kshell
Kerberos shell (544)
Step
login
Login (rlogin,513)
lpd
Printer service (515)
nntp
Network News Transport Protocol (119)
pop2
Post Office Protocol v2 (109)
pop3
Post Office Protocol v3 (110)
smtp
Simple Mail Transport Protocol (25)
sunrpc
Sun Remote Procedure Call (111)
syslog
Syslog (514)
tacacs
TAC Access Control System (49)
talk
Talk (517)
telnet
Telnet (23)
time
Time (37)
uucp
Unix-to-Unix Copy Program (540)
whois
Nicname (43)
www
World Wide Web HTTP (80)
We can now complete the creation of the access list that will filter traffic on
our specified port using our specified IP host address. Our access list 120
command is now complete. We can use this access list to mitigate threats
and attacks, and to implement robust and secure infrastructure protection.
RouterA(config)# access-list 120 deny tcp any host 161.15.29.1 eq 620
For more specific filtering, we could also add a subnet mask (e.g.,
161.15.29.1 255.255.255.0) so that filtering will be to the last bit.
Step
Step
Step
Step
Step
ISCW – Course 6
Page Type
Introduction
Step
exercise
Configuring MTU Size in Label Switching
Enter interface configuration mode:
Step
Router(config)# interface fasthethernet 0/0
Change the maximum size of an MPLS-labeled packet to 1508 bytes:
Router(config-if)# mpls mtu 1508
Step
NOTE: The Cisco ‘mpls mtu’ command statement is necessary in the
event of an addition of the label header; the MTU on LAN interfaces
should be increased to prevent IP fragmentation. The minimum MTU is 64
bytes, and the maximum MTU is based on the type of interface medium
that is being used.
The MPLS MTU size for backbone LSRs is examined using the show mpls
forwarding-table prefix detail command. Verify the MPLS MTU size using
the ‘show mpls forwarding-table’ command statement, and notice that the
MTU=1508 setting reflects our previous ‘mpls mtu’ command statement.
Router# show mpls forwarding-table 10.1.1.1 detail
Local Outgoing Prefix
Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
18 Pop tag 10.1.1.1/32 1544 Fa1/0 10.20.10.1
MAC/Encaps=14/14, MTU=1508, Tag Stack{}
00049BD60C1C00D06354701C8847
No output feature configured
Per-packet load-sharing
Router#
ISCW - Course 7
Page Type
Introduction
Step
Step
Step
exercise
Configure IPS inline VLAN pair settings on a sensor to mitigate network
security threats
Log in to the CLI using an account with administrator privileges.
Enter the interface sub-mode:
sensor# configure terminal
sensor(config)# service interface
sensor(config-int)#
Verify whether or not any inline interfaces exist (the sub-interface type
should read "none," if no inline interfaces have been configured):
sensor(config-int)# show settings
physical-interfaces (min: 0, max: 999999999, current: 2)
----------------------------------------------<protected entry>
name: GigabitEthernet0/0 <defaulted>
----------------------------------------------media-type: tx <protected>
description: <defaulted>
admin-state: disabled <protected>
duplex: auto <defaulted>
speed: auto <defaulted>
alt-tcp-reset-interface
----------------------------------------------none
------------------------------------------------------------------------------------------------------------------------------------------subinterface-type
----------------------------------------------none
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<protected entry>
name: GigabitEthernet0/1 <defaulted>
----------------------------------------------media-type: tx <protected>
description: <defaulted>
admin-state: disabled <defaulted>
duplex: auto <defaulted>
speed: auto <defaulted>
alt-tcp-reset-interface
----------------------------------------------none
------------------------------------------------------------------------------------------------------------------------------------------subinterface-type
----------------------------------------------none
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<protected entry>
name: GigabitEthernet0/2 <defaulted>
----------------------------------------------media-type: tx <protected>
description: <defaulted>
admin-state: disabled <defaulted>
duplex: auto <defaulted>
speed: auto <defaulted>
alt-tcp-reset-interface
----------------------------------------------none
------------------------------------------------------------------------------------------------------------------------------------------subinterface-type
----------------------------------------------none
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<protected entry>
name: GigabitEthernet0/3 <defaulted>
----------------------------------------------media-type: tx <protected>
description: <defaulted>
admin-state: disabled <defaulted>
duplex: auto <defaulted>
speed: auto <defaulted>
alt-tcp-reset-interface
----------------------------------------------none
------------------------------------------------------------------------------------------------------------------------------------------subinterface-type
----------------------------------------------none
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<protected entry>
name: Management0/0 <defaulted>
Step
----------------------------------------------media-type: tx <protected>
description: <defaulted>
admin-state: disabled <protected>
duplex: auto <defaulted>
speed: auto <defaulted>
alt-tcp-reset-interface
----------------------------------------------none
------------------------------------------------------------------------------------------------------------------------------------------subinterface-type
----------------------------------------------none
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------command-control: Management0/0 <protected>
inline-interfaces (min: 0, max: 999999999, current: 0)
--------------------------------------------------------------------------------------------bypass-mode: auto <defaulted>
interface-notifications
----------------------------------------------missed-percentage-threshold: 0 percent <defaulted>
notification-interval: 30 seconds <defaulted>
idle-interface-delay: 30 seconds <defaulted>
----------------------------------------------sensor(config-int)#
Remove any inline interfaces that use this physical interface:
Step
sensor(config-int)# no inline-interfaces interface_name
Display the list of available interfaces:
Step
sensor(config-int)# physical-interfaces ?
GigabitEthernet0/0 GigabitEthernet0/0 physical interface.
GigabitEthernet0/1 GigabitEthernet0/1 physical interface.
GigabitEthernet0/2 GigabitEthernet0/2 physical interface.
GigabitEthernet0/3 GigabitEthernet0/3 physical interface.
Management0/0
Management0/0 physical interface.
sensor(config-int)# physical-interfaces
Specify an interface:
Step
sensor(config-int)# physical-interfaces GigabitEthernet0/2
Enable the admin-state of the interface:
sensor(config-int-phy)# admin-state enabled
Step
The interface must be assigned to the virtual sensor and enabled in order
to monitor traffic.
Add a description of this interface:
sensor(config-int-phy)# description INT1
Step
Configure the duplex settings:
sensor(config-int-phy)# duplex full
Step
This option is not available on modules.
Configure the speed:
sensor(config-int-phy)# speed 1000
Step
This option is not available on modules.
Set up the inline VLAN pair:
Step
sensor(config-int-phy)# subinterface-type inline-vlan-pair
sensor(config-int-phy-inl)# subinterface 1
sensor(config-int-phy-inl-sub)# vlan1 52
sensor(config-int-phy-inl-sub)# vlan2 53
Add a description for the inline VLAN pair:
Step
sensor(config-int-phy-inl-sub)#description pairs vlans 52 and 53
Verify the inline VLAN pair settings:
Step
sensor(config-int-phy-inl-sub)# show settings
subinterface-number: 1
----------------------------------------------description: VLANpair1 default:
vlan1: 52
vlan2: 53
----------------------------------------------sensor(config-int-phy-inl-sub)#
Exit the interface sub-mode:
Step
Step
sensor(config-int-phy-inl-sub)# exit
sensor(config-int-phy-inl)# exit
sensor(config-int-phy)# exit
sensor(config-int)# exit
Apply Changes:?[yes]:
Press Enter to apply the changes, or enter ‘no’ to discard them
Enter virtual sensor configuration mode:
Step
sensor(config)# service analysis-engine
sensor(config-ana)# virtual-sensor vs0
Add the interface to the virtual-sensor:
Step
sensor(config-ana-vir)# physical-interface GigabitEthernet0/2
subinterface-number 1
Exit virtual-sensor submode:
Step
sensor(config-ana-vir)# exit
sensor(config-ana)# exit
Apply Changes:?[yes]:
Press Enter in order to apply the changes, or enter no to discard them.