Sensor blocking feature

thananchai747 · ‎02-05-2009

If i already use ACL on router interface and then should i do about the Pre-Block ACL and Post-Block ACL?

what router will do the Existing ACL on the Interface?

And the name of the ACL used on the router must be in form only?

marcabal · ‎02-06-2009

First start by reading through this section:

http://www.cisco.com/en/US/partner/docs/security/ips/6.2/configuration/guide/cli/cli_blocking.html#wp1050119

When the sensor's ACL is written to the router and applied to the interface/direction, then it will remove the application of any previous ACL to that same interface/direction.

Only one ACL may applied to a specific interface/direction.

The previous ACL will still exist in the router's configuration. It will just no longer be applied to that router interface/direction.

A good rule of thumb if you already have an existing ACL applied is to configure the sensor with the Name of that ACL as the Post-Block ACL.

When the sensor connects to the router it will read in the configuration lines from your existing ACL and store them in the sensor's memory. When the sensor creates it's own ACL it will add the lines from your ACL to the bottom of the ACL it creates.

You can use either numbered or named access-lists as the Pre or Post-Block ACL.

(The sensor will generate a named acces-list when it creates its access list on the router).

thananchai747 · ‎02-09-2009

Thk.