Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Need to know how to block using SVIs with IDSM-2

I have been unable to get the SVIs on a Catalyst 6506 Sup720 to block using an IDSM-2 (v5.1.1g).

Relevant configuration Info:

Server ---(VL60)---SVI60[]----SVI80[]---IDSM2[Promiscuous, not inline]--(VL80)---PC[]

interface Vlan80

ip address

access-list 2000 permit ip any any

vlan access-map PREBLOCK 10

match ip address 2000

action forward capture


vlan filter PREBLOCK vlan-list 80

intrusion-detection module 6 management-port access-vlan 99

intrusion-detection module 6 data-port 1 capture

intrusion-detection module 6 data-port 1 capture allowed-vlan 80


communication ssh-des

profile-name Outside_Router

block-vlans 80

pre-vacl-name 2000

signatures 60001 0

alert-severity high

sig-fidelity-rating 75


sig-name Block BadICMP

sig-string-info Block BadICMP

sig-comment Block BadICMP


engine atomic-ip

event-action produce-alert|request-block-host

specify-l4-protocol yes

l4-protocol icmp

specify-icmp-seq no

specify-icmp-type no

specify-icmp-code yes

icmp-code 8


specify-icmp-id no

specify-icmp-total-length no


specify-payload-inspection no


specify-ip-payload-length no

specify-ip-header-length no

specify-ip-tos no

specify-ip-ttl no

specify-ip-version no

specify-ip-id no

specify-ip-total-length no

specify-ip-option-inspection no

specify-ip-addr-options yes

ip-addr-options ip-addr

specify-src-ip-addr yes



specify-dst-ip-addr no





specify-alert-interval no



summary-mode summarize

specify-global-summary-threshold no


IDSM2-PODX# packet display gigabitEthernet0/7

Warning: This command will cause significant performance degradation

tcpdump: WARNING: ge0_7: no IPv4 address assigned

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on ge0_7, link-type EN10MB (Ethernet), capture size 65535 bytes

14:42:23.334127 IP > icmp 40: echo reply seq 3066

14:42:24.335289 IP > icmp 40: echo reply seq 3322

14:42:25.336257 IP > icmp 40: echo reply seq 3578

14:42:26.338406 IP > icmp 40: echo reply seq 3834

14:42:27.339528 IP > icmp 40: echo reply seq 4090

14:42:28.341637 IP > icmp 40: echo reply seq 4346

14:42:29.343774 IP > icmp 40: echo reply seq 4602

14:42:30.344715 IP > icmp 40: echo reply seq 4858

14:42:31.346860 IP > icmp 40: echo reply seq 5114

14:42:32.348013 IP > icmp 40: echo reply seq 5370

14:42:33.350168 IP > icmp 40: echo reply seq 5626

14:42:34.352024 IP > icmp 40: echo reply seq 5882

14:42:35.353130 IP > icmp 40: echo reply seq 6138

14:42:36.355325 IP > icmp 40: echo reply seq 6394

14:42:37.356463 IP > icmp 40: echo reply seq 6650

14:42:38.358607 IP > icmp 40: echo reply seq 6906

14:42:39.360561 IP > icmp 40: echo reply seq 7162

14:42:40.361706 IP > icmp 40: echo reply seq 7418

18 packets captured

18 packets received by filter

0 packets dropped by kernel


New Member

Re: Need to know how to block using SVIs with IDSM-2

Part 2 of Info:

CAT65K-PODX# sh ver

Cisco Internetwork Operating System Software

IOS (tm) s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(18)S


Technical Support:

Copyright (c) 1986-2006 by cisco Systems, Inc.

Compiled Thu 23-Mar-06 19:38 by tinhuang

Image text-base: 0x40101040, data-base: 0x42DA8000

ROM: System Bootstrap, Version 12.2(17r)S2, RELEASE SOFTWARE (fc1)

BOOTLDR: s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(18)S


CAT65K-PODX uptime is 7 weeks, 7 hours, 55 minutes

Time since CAT65K-PODX switched to active is 7 weeks, 7 hours, 54 minutes

System returned to ROM by power cycle (SP by power on)

System image file is "disk0:s72033-adventerprisek9_wan-mz.122-18.SXF4.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for


CAT65K-PODX# sh mod

Mod Ports Card Type Model Serial No.

--- ----- -------------------------------------- ------------------ -----------

3 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX SAL084359BZ

4 8 Network Analysis Module WS-SVC-NAM-2 SAD095005X4

5 2 Supervisor Engine 720 (Active) WS-SUP720-3BXL SAL09412WB4

6 8 Intrusion Detection System WS-SVC-IDSM-2 SAD101601NR

Mod MAC addresses Hw Fw Sw Status

--- ---------------------------------- ------ ------------ ------------ -------

3 0012.435d.8b68 to 0012.435d.8b97 2.1 12.2(14r)S5 12.2(18)SXF4 Ok

4 0012.80f1.d8c0 to 0012.80f1.d8c7 4.0 7.2(1) 3.4(1a) Ok

5 0013.7f0a.ff48 to 0013.7f0a.ff4b 4.3 8.1(3) 12.2(18)SXF4 Ok

6 0016.9dab.3340 to 0016.9dab.3347 6.1 7.2(1) 5.1(1) Ok

Mod Sub-Module Model Serial Hw Status

---- --------------------------- ------------------ ----------- ------- -------

3 Centralized Forwarding Card WS-F6700-CFC SAD084205DY 2.0 Ok

5 Policy Feature Card 3 WS-F6K-PFC3BXL SAL09412SXU 1.6 Ok

5 MSFC3 Daughterboard WS-SUP720 SAL09412HDB 2.3 Ok

6 IDS 2 accelerator board WS-SVC-IDSUPG ADEI6120088 2.4 Ok

Mod Online Diag Status

---- -------------------

3 Pass

4 Pass

5 Pass

6 Pass


I have attached the current Cat6K/Sup720 full configuration and the IDSM-2 configuration.

The million dollar question:

Why can?t I enforce blocking on SVI80? I have defined everything according to the docs and both options [blocking and rate limiting] are grayed out in my blocking device definition. I understand from the docs that rate limiting is not supported on VACLS, but if I am reading it correctly, ACLs should be.

So I have determined that I needed an ACL applied to the SVI as opposed to the VACL used for capture. I added:

ip access-list 2020

permit ip any any

Interface Vlan 80

ip address

ip access-group 2020 in

I still do not get the option to block in IDM. Does this need to be added as a Cisco router (doesnt seem to want to take Vlan80 as an interface) or a Cat6k blocking device?

All help appreciated. Thanks in advance.

CreatePlease login to create content