Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Need to know how to block using SVIs with IDSM-2

I have been unable to get the SVIs on a Catalyst 6506 Sup720 to block using an IDSM-2 (v5.1.1g).

Relevant configuration Info:

Server ---(VL60)---SVI60[10.1.60.1/24]----SVI80[10.1.80.1/24]---IDSM2[Promiscuous, not inline]--(VL80)---PC[10.1.80.25/24]

interface Vlan80

ip address 10.1.80.1 255.255.255.0

access-list 2000 permit ip any any

vlan access-map PREBLOCK 10

match ip address 2000

action forward capture

!

vlan filter PREBLOCK vlan-list 80

intrusion-detection module 6 management-port access-vlan 99

intrusion-detection module 6 data-port 1 capture

intrusion-detection module 6 data-port 1 capture allowed-vlan 80

cat6k-devices 10.1.80.1

communication ssh-des

profile-name Outside_Router

block-vlans 80

pre-vacl-name 2000

signatures 60001 0

alert-severity high

sig-fidelity-rating 75

sig-description

sig-name Block BadICMP

sig-string-info Block BadICMP

sig-comment Block BadICMP

exit

engine atomic-ip

event-action produce-alert|request-block-host

specify-l4-protocol yes

l4-protocol icmp

specify-icmp-seq no

specify-icmp-type no

specify-icmp-code yes

icmp-code 8

exit

specify-icmp-id no

specify-icmp-total-length no

exit

specify-payload-inspection no

exit

specify-ip-payload-length no

specify-ip-header-length no

specify-ip-tos no

specify-ip-ttl no

specify-ip-version no

specify-ip-id no

specify-ip-total-length no

specify-ip-option-inspection no

specify-ip-addr-options yes

ip-addr-options ip-addr

specify-src-ip-addr yes

src-ip-addr 10.1.80.25

exit

specify-dst-ip-addr no

exit

exit

exit

event-counter

specify-alert-interval no

exit

alert-frequency

summary-mode summarize

specify-global-summary-threshold no

exit

IDSM2-PODX# packet display gigabitEthernet0/7

Warning: This command will cause significant performance degradation

tcpdump: WARNING: ge0_7: no IPv4 address assigned

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on ge0_7, link-type EN10MB (Ethernet), capture size 65535 bytes

14:42:23.334127 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 3066

14:42:24.335289 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 3322

14:42:25.336257 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 3578

14:42:26.338406 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 3834

14:42:27.339528 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 4090

14:42:28.341637 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 4346

14:42:29.343774 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 4602

14:42:30.344715 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 4858

14:42:31.346860 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 5114

14:42:32.348013 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 5370

14:42:33.350168 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 5626

14:42:34.352024 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 5882

14:42:35.353130 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 6138

14:42:36.355325 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 6394

14:42:37.356463 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 6650

14:42:38.358607 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 6906

14:42:39.360561 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 7162

14:42:40.361706 IP 10.1.60.10 > 10.1.80.25: icmp 40: echo reply seq 7418

18 packets captured

18 packets received by filter

0 packets dropped by kernel

IDSM2-PODX#

1 REPLY
New Member

Re: Need to know how to block using SVIs with IDSM-2

Part 2 of Info:

CAT65K-PODX# sh ver

Cisco Internetwork Operating System Software

IOS (tm) s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(18)S

XF4, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2006 by cisco Systems, Inc.

Compiled Thu 23-Mar-06 19:38 by tinhuang

Image text-base: 0x40101040, data-base: 0x42DA8000

ROM: System Bootstrap, Version 12.2(17r)S2, RELEASE SOFTWARE (fc1)

BOOTLDR: s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(18)S

XF4, RELEASE SOFTWARE (fc1)

CAT65K-PODX uptime is 7 weeks, 7 hours, 55 minutes

Time since CAT65K-PODX switched to active is 7 weeks, 7 hours, 54 minutes

System returned to ROM by power cycle (SP by power on)

System image file is "disk0:s72033-adventerprisek9_wan-mz.122-18.SXF4.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

CAT65K-PODX#

CAT65K-PODX# sh mod

Mod Ports Card Type Model Serial No.

--- ----- -------------------------------------- ------------------ -----------

3 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX SAL084359BZ

4 8 Network Analysis Module WS-SVC-NAM-2 SAD095005X4

5 2 Supervisor Engine 720 (Active) WS-SUP720-3BXL SAL09412WB4

6 8 Intrusion Detection System WS-SVC-IDSM-2 SAD101601NR

Mod MAC addresses Hw Fw Sw Status

--- ---------------------------------- ------ ------------ ------------ -------

3 0012.435d.8b68 to 0012.435d.8b97 2.1 12.2(14r)S5 12.2(18)SXF4 Ok

4 0012.80f1.d8c0 to 0012.80f1.d8c7 4.0 7.2(1) 3.4(1a) Ok

5 0013.7f0a.ff48 to 0013.7f0a.ff4b 4.3 8.1(3) 12.2(18)SXF4 Ok

6 0016.9dab.3340 to 0016.9dab.3347 6.1 7.2(1) 5.1(1) Ok

Mod Sub-Module Model Serial Hw Status

---- --------------------------- ------------------ ----------- ------- -------

3 Centralized Forwarding Card WS-F6700-CFC SAD084205DY 2.0 Ok

5 Policy Feature Card 3 WS-F6K-PFC3BXL SAL09412SXU 1.6 Ok

5 MSFC3 Daughterboard WS-SUP720 SAL09412HDB 2.3 Ok

6 IDS 2 accelerator board WS-SVC-IDSUPG ADEI6120088 2.4 Ok

Mod Online Diag Status

---- -------------------

3 Pass

4 Pass

5 Pass

6 Pass

CAT65K-PODX#

I have attached the current Cat6K/Sup720 full configuration and the IDSM-2 configuration.

The million dollar question:

Why can?t I enforce blocking on SVI80? I have defined everything according to the docs and both options [blocking and rate limiting] are grayed out in my blocking device definition. I understand from the docs that rate limiting is not supported on VACLS, but if I am reading it correctly, ACLs should be.

So I have determined that I needed an ACL applied to the SVI as opposed to the VACL used for capture. I added:

ip access-list 2020

permit ip any any

Interface Vlan 80

ip address 10.1.80.1 255.255.255.0

ip access-group 2020 in

I still do not get the option to block in IDM. Does this need to be added as a Cisco router (doesnt seem to want to take Vlan80 as an interface) or a Cat6k blocking device?

All help appreciated. Thanks in advance.

139
Views
0
Helpful
1
Replies
CreatePlease login to create content