Cisco Support Community
Community Member

shun in the same vlan

Is there a way to stop malicious data if the PC's are in the same vlan?

Cisco Employee

Re: shun in the same vlan

Yes, block the ip of the offending pc. Are you doing this manually or letting the sensor manage the switch?

Cisco Employee

Re: shun in the same vlan

If the PCs are connected through a Catalyst 6000/6500 running Cat OS (not Native IOS) then you can use NAC (in v4.x) or managed (in v3.x) to create Vlan ACLs directly on the supervisor of the Cat (you specify the vlan).

When the sensor creates the Vlan ACL it will deny the entire IP of the attacker for the alarm.

If the PC is directly connected to the switch on that vlan then all packets to and from that PC's ip address will be denied.

If the PC is connected to a Hub or other switch, or other vlan. Then the packets with that PCs source or destination IP will be denied if those packets go through the vlan where the VACL is applied.

The auto created VACLs will not stop the initial packets of the attack and will not stop the packet that triggered the alarm. The VACLs will only stop additional packets.

The traditional shun/block will block the entire IP, but there is also a new shun/block Connection option in version 4.x. The new shun/block connection option will block based on the attackers IP, and the Destinations IP and Port. This type of shun blocks any additional packets on that connection, and prevents new connections from the attacker to the same service port on the destination. But still allows other packets to and from the client.

Though be aware that multiple connection shuns with the same attacker will result in a complete shun of the attackers ip.

CreatePlease to create content