Cisco Support Community
Community Member

permit statement for Sensor in Shun-Access-list

----------------------------E0-[IDS Router]-E1--(hostile)--







When I implement Shunning with the E0 interface on my IDS_Router to SHUN via OUT direction, I noticed a strange permit statement in the Shunning Access-list which seem to be allowing IDS_Sensor's IP to come in from the outside.


IP address is the NAT public address of my Sensor.

IDS_Router>show ip access-list


Extended IP access list IDS_Ethernet0_out_0

permit ip host any

permit ip any any


I realised that the "permit statement" for Sensor's IP address was there because by default we do not check the box under "device management" / "Allow device to shun sensor".

This permit statement is clearly wrong in my situation. Does it has anything to do with how I place the sensor? Does anyone else has this problem?

Thanks & regards,


Cisco Employee

Re: permit statement for Sensor in Shun-Access-list

Can you clarify two points? I didn't understand the network diagram at the

start of your post. Also, is the problem that a non public address (192...)

is showing up in the ACL, or that the sensor address is showing up at all?

In the meanwhile, here is some background on the permit ACL entry....

The permit statement is included in the ACL to prevent the sensor from

accidentally shunning itself. In other words, it is only needed on

interfaces that actually route packets to/from the sensor. In the case

where the sensor is shunning on an interface that never routes

these packets, it would be reasonable to enable the Allow Device

to Shun Sensor option when configuring the sensor.

Caveat: If the sensor is configured to shun on multiple routers

and/or multiple interfaces, then the Allow Device to Shun Sensor

option should only be selected for this purpose if NONE of the

shunning interfaces will ever route sensor packets.

Suppose the router will carry sensor packets on the shunning

interface, and the sensor has a NAT'ed address. Then the

sensor should be configured to permit the NAT address in

the shunning ACL. Your management software should have

the option of specifying a sensor NAT address when configuring

the net device for shunning.

Community Member

Re: permit statement for Sensor in Shun-Access-list

My question was on why the sensor address is showing up at all and you have answered my question.

Thanks for explaining the shunning process at length, I really appreciate it.



Cisco Employee

Re: permit statement for Sensor in Shun-Access-list

Managed won't know if the interface it is shunning on is the same interface it uses to telnet into the router.

If it is the same interface then the permit statement is needed to ensure that managed can always get into the router.

If the interface is not the same interface that managed is telneting into, then you use that option you mentioned to allow the sensor to shun it's own ip address, and managed will not put the sensor's ip address at the top of the ACL.

(You will then also be allowed to shun the sensor's ip address in case someone else tries using it, i.e. it permits managed to put in a deny statement for the sensor's ip address when it gets a shun request for the sensor ip, which it won't do otherwise)


CreatePlease to create content