Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

blocking connections

If there is a need to block unwanted or malicious connections on firewall, shun is advised.

Appreciate if any of the gurus here can help me understand what is different in shun than using the ACL for the same purpose.

In which typical scenario is shun preferred over acl.

TIA.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: blocking connections

Hi,

Another difference between "shun" and ACLs is in the packet processing. "Shun"ning is performed at the very first in the packet processing steps while ACL checks are performed after a "Flow lookup" or "Connection entry" lookup.

So basically it means, if there is an exisiting connection for some kind of traffic and you decide to block it using ACLs it will not happen unless that connection is torn down and a new one created. But if you decide to "shun" that host, then in spite of the exisiting connection entry "anything and everything" from the host will be blocked.

This is the reason why when we configure IPS to block hosts on ASAs (using signature action as "request block"), it uses the "shun" command rather than ACLs (which it uses for router's and switches).

Hope that is clear!!

Thanks and Regards,
Prapanch

3 REPLIES
Cisco Employee

Re: blocking connections

acl will drop everything between a source and destination

whereas using shun you can specify a threshold after which it will start shunning, for example say if you see x number of packets in a duration of y mins from z shun the traffic

hope it helps

- JA

Cisco Employee

Re: blocking connections

Hello,

Shun will block everything from the specified host, ACL`s will allow you to permit some ports/protocols and deny the rest of the traffic from the specified host.

Cheers

Mike

Mike
Cisco Employee

Re: blocking connections

Hi,

Another difference between "shun" and ACLs is in the packet processing. "Shun"ning is performed at the very first in the packet processing steps while ACL checks are performed after a "Flow lookup" or "Connection entry" lookup.

So basically it means, if there is an exisiting connection for some kind of traffic and you decide to block it using ACLs it will not happen unless that connection is torn down and a new one created. But if you decide to "shun" that host, then in spite of the exisiting connection entry "anything and everything" from the host will be blocked.

This is the reason why when we configure IPS to block hosts on ASAs (using signature action as "request block"), it uses the "shun" command rather than ACLs (which it uses for router's and switches).

Hope that is clear!!

Thanks and Regards,
Prapanch

532
Views
5
Helpful
3
Replies
CreatePlease login to create content