Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Time to Shun

I'm using a 4230 IDS F/E Sensor to detect and shun SMTP traffic with specific contents. I find that the shunning works but cannot prevent sessions with small payload, say 40-50 KB. Is there any way I can control the response time for the shun to work quicker and stop the current traffic?

Cisco Employee

Re: Time to Shun

Here are some hints for improving the time to shun. These are

based on the fact that IDS uses a sequence of commands

to shun on a router. Anything that reduces the number of

commands sent should slightly improve the time to shun.

Even In the best circumstances, it will still take a finite period

of time, probably on the order of 1 - 3 seconds, for a shun to

take effect.

1. Use a router that is sufficiently fast. Some smaller routers

(e.g. 1605) take a long time to commit configurations.

2. Configure the sensor to control 1 interface on 1 router.

3. Do not configure the sensor to apply pre-shun ACLs or

post-shun ACLs on that interface.

4. Minimize the number of always shun addresses.

5. Try to avoid large numbers of simultaneously active shuns.