But shall I still be able to configure blocking on router interfaces?
- Yes, you can still configure the sensor to do blocking with ACLs on router interfaces.
There is one thing I don't understand generally:
Is it possible to configure router subinterfaces as blocking interfaces on the router?
- If the router supports applying ACLs to subinterfaces then yes. When you configure NAC (V4.x) or managed (v3.x) realize that it will connect to the router, execute "configure terminal" and then execute "interface" followed by the name you gave it. If you give it a subinterface name that works with the "interface" configuration command then you should be fine.
And what about CAt3550 SVIs?
- The Cat 3550 is not specifically supported at this time. You can look at the Config Guide to find the list of supported routers and switches.
With that said, I have heard that some users have gotten this to work. You can try, but realize that this will not be officially supported and you won't be able to talk with the TAC about any problems you experience. You will just need to post questions here to the Forum and see if other users can help you out if you run into problems.
If you try it, then you need to tell the sensor to manage it like an IOS Router. For the interface configuration you would specify the SVIs of the 3550 just like you would specify a physical interface of a router.
If yes, how does the IDS know which SVI to block based on the suspicious packet source/destination IP address?
- Officially NO, but unofficially it might. If you do get it to work then you need to realize that the sensor does not try to match where the alarm was (what vlan or IPs) to determine which interface to block on. Instead NAC or managed will block on ALL of the interfaces you tell it to. So when configuring NAC/managed you have to decide where you want the blocks applied and the same blocks will be applied to all of the interfaces.
