Define the Protected Networks

After you apply the audit rules to the router interfaces, use the global configuration mode command ip audit protected to specify whether an address is on a protected network. A single address at a time or a range of addresses can be entered at one time. You can make as many entries to the protected networks list as needed. In case of a detected attack, the corresponding event contains a flag that denotes whether the source and/or destination of the packet belong to a protected network.

Use the no form of this command to remove network addresses from the protected network list. If you specify an IP address for removal, that address is removed from the list. If you don’t specify an address, then all IP addresses are removed from the list. The syntax is

Rtr1(config)#ip audit protected ip-addr [to ip-addr]
Rtr1(config)#no ip audit protected [ip-addr]

This command was introduced in IOS 12.0(5)T. The default is that if no addresses are defined as protected, then all addresses are considered outside the protected network.

The following example shows three individual addresses and two ranges of addresses to be added to the protected network list. The final entry shows an address removed from the protected list.

Rtr1(config)#ip audit protected 192.168.5.1
Rtr1(config)#ip audit protected 192.168.5.8
Rtr1(config)#ip audit protected 192.168.5.211
Rtr1(config)#ip audit protected 192.168.4.1 to 192.168.4.254
Rtr1(config)#ip audit protected 192.168.6.1 to 192.168.7.254
Rtr1(config)#no ip audit protected 192.168.4.75 cp7verif