Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Using Blacklist/whitelist on IDS



I am currently planning on implementation of 4360 IDS system that will not be inline but monitoring the data VLAN on a switch. Someone asked me if I was going to create a blacklist and a whitelist for the IDS. Would that even be worth creating such lists if the device is not going to be inline with data flows? And they also stated that Cisco, when they push out new IPS/IDS signatures, that they have a default blacklist/whitelist within the code of the signatures. Is that correct?



Everyone's tags (2)
New Member

You can opt for your IPS/IDS

You can opt for your IPS/IDS to participate in the CIsco Global Correlation Network. This will send some of your traffic statistics to a centralized location for analysis and policies will be created and distributed to IPS/IDS globally. This includes blacklisting certain IP addresses.

As for creating a whitelist/blacklist for your specific IDS, you can add hosts to a "Never Block" list. Typically, this is reserved for your NMS since its polling can be perceived as scanning. Your colleague may be talking about zones. The IDS allows multiple zones (internal, external, DMZ) with different policies assigned to each.

New Member

Thanks for the reply Jason!I

Thanks for the reply Jason!

I was wondering though would a blacklist/whitelist be beneficial since our implementation of the IDS is not inline to the data flow? The IDS implementation that we were approved to do is monitoring a switch port that is is OOB. So if there were a blacklist/whitelist implemented on the IDS then it will be worthless because it will not be able block or allow that traffic flow, correct?

New Member

My website ( is

My website ( is constantly getting attacked from china ip address I found a resource which lists all ip address should be banned but I'm not sure how to use this ip's ?

Can you help ?

Resource is :



Hall of Fame Super Silver

How you use them (if indeed

How you use them (if indeed that is possible in your environement) depends on the setup you have for hosting your site.

Can you tell us more about your hosting environment?

CreatePlease login to create content