Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
366
Views
0
Helpful
1
Replies

Need to know how to block using SVIs with IDSM-2

dmarsh
Level 1
Level 1

‎10-18-2006 12:22 AM - edited ‎03-10-2019 03:17 AM

I have been unable to get the SVIs on a Catalyst 6506 Sup720 to block using an IDSM-2 (v5.1.1g).

Relevant configuration Info:

Server ---(VL60)---SVI60[10.1.60.1/24]----SVI80[10.1.80.1/24]---IDSM2[Promiscuous, not inline]--(VL80)---PC[10.1.80.25/24]

interface Vlan80

ip address 10.1.80.1 255.255.255.0

access-list 2000 permit ip any any

vlan access-map PREBLOCK 10

match ip address 2000

action forward capture

!

vlan filter PREBLOCK vlan-list 80

intrusion-detection module 6 management-port access-vlan 99

intrusion-detection module 6 data-port 1 capture

intrusion-detection module 6 data-port 1 capture allowed-vlan 80

cat6k-devices 10.1.80.1

communication ssh-des

profile-name Outside_Router

block-vlans 80

pre-vacl-name 2000

signatures 60001 0

alert-severity high

sig-fidelity-rating 75

sig-description

sig-name Block BadICMP

sig-string-info Block BadICMP

sig-comment Block BadICMP

exit

engine atomic-ip

event-action produce-alert|request-block-host

specify-l4-protocol yes

l4-protocol icmp

specify-icmp-seq no

specify-icmp-type no

specify-icmp-code yes

icmp-code 8

exit

specify-icmp-id no

specify-icmp-total-length no

exit

specify-payload-inspection no

exit

specify-ip-payload-length no

specify-ip-header-length no

specify-ip-tos no

specify-ip-ttl no

specify-ip-version no

specify-ip-id no

specify-ip-total-length no

specify-ip-option-inspection no

specify-ip-addr-options yes

ip-addr-options ip-addr

specify-src-ip-addr yes

src-ip-addr 10.1.80.25

exit

specify-dst-ip-addr no

exit

exit

exit

event-counter

specify-alert-interval no

exit

alert-frequency

summary-mode summarize

specify-global-summary-threshold no

exit

IDSM2-PODX# packet display gigabitEthernet0/7

Warning: This command will cause significant performance degradation

tcpdump: WARNING: ge0_7: no IPv4 address assigned

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on ge0_7, link-type EN10MB (Ethernet), capture size 65535 bytes

14:42:23.334127 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 3066

14:42:24.335289 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 3322

14:42:25.336257 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 3578

14:42:26.338406 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 3834

14:42:27.339528 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 4090

14:42:28.341637 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 4346

14:42:29.343774 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 4602

14:42:30.344715 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 4858

14:42:31.346860 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 5114

14:42:32.348013 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 5370

14:42:33.350168 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 5626

14:42:34.352024 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 5882

14:42:35.353130 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 6138

14:42:36.355325 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 6394

14:42:37.356463 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 6650

14:42:38.358607 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 6906

14:42:39.360561 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 7162

14:42:40.361706 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 7418

18 packets captured

18 packets received by filter

0 packets dropped by kernel

IDSM2-PODX#

Labels:
0 Helpful
1 Reply 1

dmarsh
Level 1
Level 1

‎10-18-2006 12:23 AM

Part 2 of Info:

CAT65K-PODX# sh ver

Cisco Internetwork Operating System Software

IOS (tm) s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(18)S

XF4, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2006 by cisco Systems, Inc.

Compiled Thu 23-Mar-06 19:38 by tinhuang

Image text-base: 0x40101040, data-base: 0x42DA8000

ROM: System Bootstrap, Version 12.2(17r)S2, RELEASE SOFTWARE (fc1)

BOOTLDR: s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(18)S

XF4, RELEASE SOFTWARE (fc1)

CAT65K-PODX uptime is 7 weeks, 7 hours, 55 minutes

Time since CAT65K-PODX switched to active is 7 weeks, 7 hours, 54 minutes

System returned to ROM by power cycle (SP by power on)

System image file is "disk0:s72033-adventerprisek9_wan-mz.122-18.SXF4.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

CAT65K-PODX#

CAT65K-PODX# sh mod

Mod Ports Card Type Model Serial No.

--- ----- -------------------------------------- ------------------ -----------

3 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX SAL084359BZ

4 8 Network Analysis Module WS-SVC-NAM-2 SAD095005X4

5 2 Supervisor Engine 720 (Active) WS-SUP720-3BXL SAL09412WB4

6 8 Intrusion Detection System WS-SVC-IDSM-2 SAD101601NR

Mod MAC addresses Hw Fw Sw Status

--- ---------------------------------- ------ ------------ ------------ -------

3 0012.435d.8b68 to 0012.435d.8b97 2.1 12.2(14r)S5 12.2(18)SXF4 Ok

4 0012.80f1.d8c0 to 0012.80f1.d8c7 4.0 7.2(1) 3.4(1a) Ok

5 0013.7f0a.ff48 to 0013.7f0a.ff4b 4.3 8.1(3) 12.2(18)SXF4 Ok

6 0016.9dab.3340 to 0016.9dab.3347 6.1 7.2(1) 5.1(1) Ok

Mod Sub-Module Model Serial Hw Status

---- --------------------------- ------------------ ----------- ------- -------

3 Centralized Forwarding Card WS-F6700-CFC SAD084205DY 2.0 Ok

5 Policy Feature Card 3 WS-F6K-PFC3BXL SAL09412SXU 1.6 Ok

5 MSFC3 Daughterboard WS-SUP720 SAL09412HDB 2.3 Ok

6 IDS 2 accelerator board WS-SVC-IDSUPG ADEI6120088 2.4 Ok

Mod Online Diag Status

---- -------------------

3 Pass

4 Pass

5 Pass

6 Pass

CAT65K-PODX#

I have attached the current Cat6K/Sup720 full configuration and the IDSM-2 configuration.

The million dollar question:

Why can?t I enforce blocking on SVI80? I have defined everything according to the docs and both options [blocking and rate limiting] are grayed out in my blocking device definition. I understand from the docs that rate limiting is not supported on VACLS, but if I am reading it correctly, ACLs should be.

So I have determined that I needed an ACL applied to the SVI as opposed to the VACL used for capture. I added:

ip access-list 2020

permit ip any any

Interface Vlan 80

ip address 10.1.80.1 255.255.255.0

ip access-group 2020 in

I still do not get the option to block in IDM. Does this need to be added as a Cisco router (doesnt seem to want to take Vlan80 as an interface) or a Cat6k blocking device?

All help appreciated. Thanks in advance.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card