42-16
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 42 Configuring Attack Response Controller for Blocking and Rate Limiting
Blocking Page
Field Reference
Cat6k Block VLAN Dialog Box
Use the Add or Modify Cat6k Block VLAN dialog box to configure a blocking VLAN on a Catalyst
6500/7600 device that runs the Catalyst operating system and that is configured as an IPS blocking
device. The IPS sensor uses the VLAN for blocking actions.
Tip If the Catalyst 6500/7600 runs Cisco IOS Software, add the device as a router, not a Cat6K.
Navigation Path
From the Add or Modify Cat6K Device dialog box, click the Add Row button beneath the VLANs table,
or select a row in the table and click the Edit Row button. For information on opening the Cat6K Device
dialog box, see Router, Firewall, Cat6K Device Dialog Box, page 42-14.
Table42-6 Router Block Interface Dialog Box
Element Description
Interface Name The name of the interface on the router that the IPS should use for
blocking. Enter the name exactly as it is configured on the router (for
example, GigabitEthernet0/1).
Direction The direction to apply the blocking ACL, In or Out.
Pre ACL Name
Post ACL Name
The ACLs to combine with the blocking entries that the IPS creates to
implement blocking actions. The Pre ACL is added before the blocking
ACL, and the Post ACL is added after the blocking ACL. For more
information, see Understanding Router and Switch Blocking Devices,
page 42-4.
Tip If you have configured an ACL on the interface in the specified
direction, you must specify the name of the ACL in the Pre or
Post ACL Name field or the ACL will be removed from the
interface. When you identify an interface and direction as a
blocking interface, the IPS takes control of the ACL on that
interface/direction.
If you are managing the blocking device in Security Manager, you can
identify the ACL name by selecting the blocking device, then selecting
Tools > Preview Config. Look for the ip access-group command in the
interface configuration, and check the direction. For example, the
following lines show that there is an ACL named
CSM_FW_ACL_GigabitEthernet0/1 in the In direction attached to the
GigabitEthernet0/1 interface.
interface GigabitEthernet0/1
ip access-group CSM_FW_ACL_GigabitEthernet0/1 in
In this example, if you configure GigabitEthernet0/1 in the In direction
as a blocking interface, ensure that you specify
CSM_FW_ACL_GigabitEthernet0/1 as a pre- or post-ACL. In most
cases, you should specify the ACL as the post-ACL, so that the
relatively short IPS blocking ACL first filters out undesirable traffic
before the blocking device implements your other access rules.