Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual page 368

MainApp
Preexisting ACLs on routers and VACLs on switches
•
If a preexisting ACL exists on a router interface or direction that is controlled by Network Access
Controller, you can specify that this ACL be merged into the Network Access Controller-generated
configuration, either before any blocks by specifying a preblock ACL or after any blocks by
specifying a postblock ACL. The Catalyst 6000 VACL device types can have a preblock and
postblock VACL specified for each interface that Network Access Controller controls. The firewall
device types use a different API to perform blocks and Network Access Controller does not have
any effect on preexisting ACLs on the firewalls.
Note
For more information, see
• Forwarding blocks to a list of remote sensors
Network Access Controller can forward blocks to a list of remote sensors, so that multiple sensors
can in effect collectively control a single network device. Such remote sensors are referred to as
master blocking sensors. For more information on master blocking sensors, see
Sensor to be a Master Blocking Sensor, page
Specifying blocking interfaces on a network device
•
You can specify the interface and direction where blocking is performed in the Network Access
Controller configuration for routers. You can specify the interface where blocking is performed in
the VACL configuration.
Note
Network Access Controller can simultaneously control up to 250 interfaces.
Blocking hosts or networks for a specified time
•
Network Access Controller can block a host or network for a specified number of minutes or
indefinitely. Network Access Controller determines when a block has expired and unblocks the host
or network at that time.
Logging important events
•
Network Access Controller writes a confirmation event when block or unblock actions are
completed successfully or if any errors occur. Network Access Controller also logs important events
such as loss and recovery of a network device communication session, configuration errors, and
errors reported by the network device.
• Maintaining the blocking state across Network Access Controller restarts
Network Access Controller reapplies blocks that have not expired when a shutdown or restart
occurs. Network Access Controller removes blocks that have expired while it was shut down.
Note
For more information, see
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
A-14
Catalyst 5000 RSM and Catalyst 6000 MSFC2 network devices are supported in the same
way as Cisco routers.
ACLs and VACLs, page
Cisco firewalls do not block based on interface or direction, so this configuration is never
specified for them.
Network Access Controller can only maintain the blocking state successfully if no one
changes the system time while the application is shut down.
Maintaining State Across Restarts, page
Appendix A
A-16.
10-25.
A-16.
System Architecture
Configuring the
78-16527-01