Acls And Vacls; Maintaining State Across Restarts - Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual

MainApp
•
•
•

ACLs and VACLs

If you want to filter packets on an interface or direction that Network Access Controller controls, you
can configure Network Access Controller to apply an ACL before any blocks (preblock ACL) and to
apply an ACL after any blocks (postblock ACL). These ACLs are configured on the network device as
inactive ACLs. You can define preblock and postblock ACLs for each interface and direction. Network
Access Controller retrieves and caches the lists and merges them with the blocking ACEs whenever it
updates the active ACL on the network device. In most cases, you will want to specify a preexisting ACL
as the postblock ACL so that it does not prevent any blocks from taking effect. ACLs work by matching
a packet to the first ACE found. If this first ACE permits the packet, a subsequent deny statement will
not be found.
You can specify different preblock and postblock ACLs for each interface and direction, or you can reuse
the same ACLs for multiple interfaces and directions. If you do not want to maintain a preblock list, you
can use the never block option and always block hosts and networks by using existing configuration
statements. A forever block is a normal block with a timeout value of -1.
Network Access Controller only modifies ACLs that it owns. It does not modify ACLs that you have
defined. The ACLs maintained by Network Access Controller have a specific format that should not be
used for user-defined ACLs. The naming convention is IPS_<interface_name>_[in | out]_[0 | 1].
<interfac e_name> corresponds to the name of the blocking interface as given in the Network Access
Controller configuration.
For Catalyst switches, it is a blocking interface VLAN number. Do not use these names for preblock and
postblock ACLs.
For Catalyst 6000 VACLs, you can specify a preblock and postblock VACL and only the interface is
specified (direction is not used in VLANs).
For firewalls, you cannot use preblock or postblock ACLs because the firewall uses a different API for
blocking. Instead you must create ACLs directly on the firewalls. For more information, see
with Cisco Firewalls, page

Maintaining State Across Restarts

When the blocked host list or blocked network list changes, the new lists (with starting timestamps) are
written to a local file (nac.shun.txt) that is maintained by Network Access Controller. When Network
Access Controller starts, this file is used to determine if any block updates should occur at the controlled
network devices. Any unexpired blocks found in the file are applied to the network devices at startup.
When Network Access Controller shuts down, no special actions on the ACLs are taken even if
outstanding blocks are in effect. The nac.shun.txt file is accurate only if the system time is not changed
while Network Access Controller is not running.
Do not make manual changes to the nac.shun.txt file.
Caution
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
A-16
Catalyst 6000 MSFC2 with Catalyst software 5.4(3) or later and Cisco IOS 12.1(2)E or later on the
MSFC2
Cisco ASA 500 series models: ASA 5510, ASA 5520, and ASA 5540
FWSM
The FWSM cannot block in multi-mode admin context.
Note
A-18.
Appendix A System Architecture
Blocking
78-16527-01