Table of Contents
Advertisement
Appendix A
Intrusion Detection System Architecture
Blocking with the Catalyst 6000
Note
Caution
Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1
78-15597-02
A Catalyst 6000 switch with a PFC card filters packets using VACLs. VACLs filter
all packets between VLANs and within a VLAN.
MSFC router ACLs are supported when WAN cards are installed and you want the
sensor to control the interfaces through the MSFC2.
An MSFC2 card is not a required part of a Catalyst 6000 configuration for
blocking with VACLs.
When you configure NAC for the Catalyst 6000, do not specify a direction with
the controlled interface. The interface name is a VLAN number. Preblock and
postblock lists should be VACLs.
The following commands apply to the Catalyst 6000 VACLs:
•
To view an existing VACL:
show security acl info {
To block an address (address spec is the same as used by router ACLs):
•
set security acl ip {
To activate VACLs after building the lists:
•
commit security acl all
•
To clear a single VACL:
clear security acl map {
To clear all VACLs:
•
clear security acl map all
To map a VACL to a VLAN:
•
aclname
set sec acl {
See
Configuring Blocking Devices, page
aclname
}
aclname
address spec
} deny {
aclname
}
vlans
} {
}
10-67, for more information.
System Components
}
A-27
Advertisement
Table of Contents
Troubleshooting
Need help?
Do you have a question about the IDS-4230-FE - Intrusion Detection Sys Fast Ethernet Sensor and is the answer not in the manual?
Questions and answers