When I get this message, I am assuming there is a limit to how many IPs can be blocked in the deny ACL applied to the routers. Is this a hard limit, or can I change it? If so, where? Are there any potential hazards to raising this limit? I don't like the idea of nastygrams getting through because I've blocked a bunch of ignorant Code Red zombies.
The default value if i remember correctly is about 150 hosts being shunned.
This however, is configurable.
Versions earlier than 3.0(3)Sx had an absolute maximum for the token of about 200 hosts, but after version 3.0(3)Sx there is no maximum value that I am aware of.
Last I checked, however, I don't think that CSPM would allow you change this token's configuration. You may want to check in the Blocking tab and see if there is a configuration entry for maximum number of shunned hosts or something that sounds like that.
If the configuration entry is not there then there is a workaround.
CSPM relies on template files.
you would need to find the template files directory for the sensor version you are using.
Then edit the managed.conf template file and edit the following line to the value you want.
This edit would affect all sensors of that version.
If using nrConfigure the configuration is in the Shunning tab of the Device Management configuration window for the sensor.
The more hosts being shunned the more the router performance can be affected. All packets going through the interface and direction to which the acl was applied by managed will have to be checked against the acl. The larger the acl the longer it takes to check.
On some routers there is also a limit based on the size of NVRAM for the router. Since the shuns are acl entries which are written to the router configuration they have to be saved to NVRAM, but some routers do not have very much space for saving router configurations. On smaller routers I would keep the 150 limit, on larger router like the 7500 a limit of 2 or 300 may be just fine. Managed on the sensor will not prevent you from creating access lists that are too large to save to the router's NVRAM.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :