Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
578
Views
0
Helpful
1
Replies

Shun Table Full message

stbob
Level 1
Level 1

‎01-29-2002 01:00 PM - edited ‎03-08-2019 09:42 PM

When I get this message, I am assuming there is a limit to how many IPs can be blocked in the deny ACL applied to the routers. Is this a hard limit, or can I change it? If so, where? Are there any potential hazards to raising this limit? I don't like the idea of nastygrams getting through because I've blocked a bunch of ignorant Code Red zombies.

Labels:
0 Helpful
1 Reply 1

marcabal
Cisco Employee
Cisco Employee

‎01-29-2002 02:06 PM

The default value if i remember correctly is about 150 hosts being shunned.

This however, is configurable.

Versions earlier than 3.0(3)Sx had an absolute maximum for the token of about 200 hosts, but after version 3.0(3)Sx there is no maximum value that I am aware of.

Last I checked, however, I don't think that CSPM would allow you change this token's configuration. You may want to check in the Blocking tab and see if there is a configuration entry for maximum number of shunned hosts or something that sounds like that.

If the configuration entry is not there then there is a workaround.

CSPM relies on template files.

you would need to find the template files directory for the sensor version you are using.

Then edit the managed.conf template file and edit the following line to the value you want.

ShunMaxEntries 150

This edit would affect all sensors of that version.

If using nrConfigure the configuration is in the Shunning tab of the Device Management configuration window for the sensor.

Potential Hazards:

The more hosts being shunned the more the router performance can be affected. All packets going through the interface and direction to which the acl was applied by managed will have to be checked against the acl. The larger the acl the longer it takes to check.

On some routers there is also a limit based on the size of NVRAM for the router. Since the shuns are acl entries which are written to the router configuration they have to be saved to NVRAM, but some routers do not have very much space for saving router configurations. On smaller routers I would keep the 150 limit, on larger router like the 7500 a limit of 2 or 300 may be just fine. Managed on the sensor will not prevent you from creating access lists that are too large to save to the router's NVRAM.

0 Helpful
Customers Also Viewed These Support Documents