Re: IDSM with IPS5.1 " blocking" ?

rkumares · ‎07-16-2006

IDSM2 with IPS5.1 (on cat65K sup 720 IOS 12.2SXF) will support ? Inline ? mode.But does it support ? blocking? as well ? ??

? CCO document says ?Supervisor 720 with Cisco IOS supports VACL deny statements; however, IDSM-2 cannot block with Cisco IOS-style VACLs.

? Here VACL deny means ? not consider to monitor that particular VLAN or IP address ? right ? OR is it like totally blocking the user traffic? Or blocking the connection from the respective host/connection/IP.

stleary · ‎07-17-2006

Hi Rajan,

All sensors can block on supported network devices

regardless of whether the sensor is configured as

inline. In the case where an IDSM2 is installed on

a Catalyst switch running IOS, and the user wants

the sensor to block on the switch, the blocking

device should be specifed as a router. The sensor

will block with ACLs, not VACLs. Blocks can either

be unconditional (denying all packets from the

attacker) or connection oriented.

One point to keep in mind is that a sensor in inline

mode can also perform inline deny actions like "deny packet inline", "deny attacker inline", etc. These

deny actions are unrelated to the sensor blocking

response.

Regards,

Sean

rkumares · ‎07-20-2006

Hi Sean,

Thanks for your valuable info.Now IDSM can block on cat6k after selecting the blocking device as Router(initially I had selected as cat6K.I need to test the same with inline pairs after sometime.