Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

How works the ACL name on the router for shunning ?

I want to test shunning and have a question the ACL name.

I configured the blocking device on the IDM,

- blocking interface=Fastethernet0/0

- direction=in

- Pre ACL name=IDS_PRE

- Pose ACL name=IDS_POST

Change a signature "ICMP-echo" to shunhost and successfully update to the router but added new ACL under Fastethernet0/0 as name IDS_Fastethernet0/0_in_0 and it toggle with IDS_Fastethernet0/0_in_1.

Q. why the ACL name not follow my name on the IDM ?

Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: How works the ACL name on the router for shunning ?

I think there is some confusion on what PreACl and PostACL are.

The PreACL and PostACl entries in IDM do not affect what the sensor created ACL name is on the router.

The sensor will always create an ACL named with the following format:

IDS___<0or1>

So for you configuration it would create the following ACL names:

IDS_Fastethernet0/0_in_0 and IDS_Fastethernet0/0_in_1

Th reason it uses 2 ACLs is that it can not edit an ACL that is currently applied on the interface. So if ACL 0 is currently applied then it will create ACL 1, and then apply ACL a (which unapplies ACL 0).

So then the sensor can remove 0, and create a new ACL 0 when a change needs to happen.

So what are the Pre and Post ACL names used for?

One of the biggest complaints we had with older versions of the sensor was that the user could not add lines to the ACL that the sensor was creating.

So we came up with the Pre and Post ACL features so that users could add entries to the ACL that the sensor creates.

The user must login to the router itself and create an ACL with whatever name they want. Inside that ACL they put the entries that they eventually want to see at the top of the ACL that the sensor will create.

When they configure the sensor they take the name of the ACL they created and enter it into the field for PreACL name.

The user can do the same thing for entries they want at the bottom of the ACL generated by the sensor by creating another ACL on the router. The put in the entries they want to see at the bottom of the sensor created ACL, and then enter that name in the PostACL name field.

So the Pre and Post ACL names are not going to be used when naming the sensor created ACL.

But instead those ACLs will be read off the router by the sensor, and the entries in those ACLs will be placed inside the ACL created by the sensor.

1 REPLY
Cisco Employee

Re: How works the ACL name on the router for shunning ?

I think there is some confusion on what PreACl and PostACL are.

The PreACL and PostACl entries in IDM do not affect what the sensor created ACL name is on the router.

The sensor will always create an ACL named with the following format:

IDS___<0or1>

So for you configuration it would create the following ACL names:

IDS_Fastethernet0/0_in_0 and IDS_Fastethernet0/0_in_1

Th reason it uses 2 ACLs is that it can not edit an ACL that is currently applied on the interface. So if ACL 0 is currently applied then it will create ACL 1, and then apply ACL a (which unapplies ACL 0).

So then the sensor can remove 0, and create a new ACL 0 when a change needs to happen.

So what are the Pre and Post ACL names used for?

One of the biggest complaints we had with older versions of the sensor was that the user could not add lines to the ACL that the sensor was creating.

So we came up with the Pre and Post ACL features so that users could add entries to the ACL that the sensor creates.

The user must login to the router itself and create an ACL with whatever name they want. Inside that ACL they put the entries that they eventually want to see at the top of the ACL that the sensor will create.

When they configure the sensor they take the name of the ACL they created and enter it into the field for PreACL name.

The user can do the same thing for entries they want at the bottom of the ACL generated by the sensor by creating another ACL on the router. The put in the entries they want to see at the bottom of the sensor created ACL, and then enter that name in the PostACL name field.

So the Pre and Post ACL names are not going to be used when naming the sensor created ACL.

But instead those ACLs will be read off the router by the sensor, and the entries in those ACLs will be placed inside the ACL created by the sensor.

217
Views
5
Helpful
1
Replies
CreatePlease to create content