Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Shun Table Full message

When I get this message, I am assuming there is a limit to how many IPs can be blocked in the deny ACL applied to the routers. Is this a hard limit, or can I change it? If so, where? Are there any potential hazards to raising this limit? I don't like the idea of nastygrams getting through because I've blocked a bunch of ignorant Code Red zombies.

1 REPLY
Cisco Employee

Re: Shun Table Full message

The default value if i remember correctly is about 150 hosts being shunned.

This however, is configurable.

Versions earlier than 3.0(3)Sx had an absolute maximum for the token of about 200 hosts, but after version 3.0(3)Sx there is no maximum value that I am aware of.

Last I checked, however, I don't think that CSPM would allow you change this token's configuration. You may want to check in the Blocking tab and see if there is a configuration entry for maximum number of shunned hosts or something that sounds like that.

If the configuration entry is not there then there is a workaround.

CSPM relies on template files.

you would need to find the template files directory for the sensor version you are using.

Then edit the managed.conf template file and edit the following line to the value you want.

ShunMaxEntries 150

This edit would affect all sensors of that version.

If using nrConfigure the configuration is in the Shunning tab of the Device Management configuration window for the sensor.

Potential Hazards:

The more hosts being shunned the more the router performance can be affected. All packets going through the interface and direction to which the acl was applied by managed will have to be checked against the acl. The larger the acl the longer it takes to check.

On some routers there is also a limit based on the size of NVRAM for the router. Since the shuns are acl entries which are written to the router configuration they have to be saved to NVRAM, but some routers do not have very much space for saving router configurations. On smaller routers I would keep the 150 limit, on larger router like the 7500 a limit of 2 or 300 may be just fine. Managed on the sensor will not prevent you from creating access lists that are too large to save to the router's NVRAM.

90
Views
0
Helpful
1
Replies
CreatePlease login to create content