Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IDS 4215 - Shunning Question

Recently upgraded from 4210 to 4215. Able to shun intruders via the PIX but how do I shun internal users.

All of my internal users are connected via Cisco 2950 switches. According to documentation I can only shun on routers, PIX & a switch that supports VACL like the catalyst 6500.

Do I have to upgraded one of my switches to a 6500 ?

  • Other Security Subjects
3 REPLIES
Cisco Employee

Re: IDS 4215 - Shunning Question

TO block/shun internal users from accessing the internet then you can still shun on the Pix.

To block/shun internal users from accessing Other intenal networks then you would need to shun on the Cisco routers (see the documentation for the list of supported routers) between the 2 networks.

TO block/shun internal users from accessing other machines on the Same network then they only supported mechanism is to use Vlan ACLs on a Catalyst 6500 running Cat OS.

New Member

Re: IDS 4215 - Shunning Question

Will shunning work on any switch that supports Vlan ACLS or only the 6500.

I know that the 3550 supports Vlan ACLS & would be cost effective for our company.

Cisco Employee

Re: IDS 4215 - Shunning Question

The IDS only officially supports the devices listed in the User's Guide and does not include the 3550 switch.

With that said, however, I have heard of users implementing unsupported configurations.

I am not familiar with the 3550 and it's operating system so I am not sure what it's capabilities are and what commands it supports.

If the 3550 is running IOS and has Router ACLs applied to virtual interfaces with ip addresses assigned to vlans, then you may be able to configure the sensor to think that the 3550 is a Cisco Router. You would be limited to creating ACLs on the routable interface of the 3550 and would be Router ACL applied to the interface rather than a VLan ACL. The difference being that the Router ACL is only applied against packets being Routed between vlans by the switch, while a Vlan ACL woudl be applied even if the packets stayed in the same vlan.

If the 3550 is instead running an operating system more like the Cat OS on the Cat 6K then it may support Vlan ACLs using the same commands as the Cat 6K running Cat OS. In which case you may be able to configure the sensor to thing it is a Cat 6K switch and use Vlan ACLs.

Be aware that IOS running on the Cat 6K also has Vlan ACLS but the syntax for Vlan ACLs in IOS is different than the syntax for Vlan ACLs in the traditional Cat OS. Because of this difference the sensor can not create Vlan ACLs on the Cat 6K running Native IOS (though it can create Router ACLs treating the switch like a router).

So if your 3550 support IOS like Vlan ACLs then it won't work.

If you do try and get it to work then keep in mind that this will not be supported by the TAC.

93
Views
0
Helpful
3
Replies
This widget could not be displayed.