10-19
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
78-16527-01
Chapter 10 Configuring Blocking
Configuring Blocking Devices
Note
Make sure the last line in the ACL is
permit ip any any
if you want all unmatched
packets to be permitted.
–
permit ip any any
(not used if a Post-Block ACL is specified)
Network Access Controller uses two ACLs to manage devices. Only one is active at any one time. It uses
the offline ACL name to build the new ACL, then applies it to the interface. Network Access Controller
then reverses the process on the next cycle.
Note
The ACLs that NAC creates are not removed from the managed device after you configure NAC to no
longer manage that device. You must remove the ACLs manually on any device that NAC formerly
managed.
If you need to modify the Pre-Block or Post-Block ACL, do the following:
1.
Disable blocking on the sensor.
2.
Make the changes to the device’s configuration.
3.
Reenable blocking on the sensor.
When blocking is reenabled, the sensor reads the new device configuration. For the procedure, see
Disabling Blocking, page 10-6
.
Caution
A single sensor can manage multiple devices, but you cannot use multiple sensors to control a single
device. In this case, use a master blocking sensor. For the procedure, see
Configuring the Sensor to be a
Master Blocking Sensor, page 10-25
.
Configuring the Sensor to Manage Cisco Routers
This section describes how to configure the sensor to manage Cisco routers. It contains the following
topics:
•
Routers and ACLs, page 10-19
•
Configuring the Sensor to Manage Cisco Routers, page 10-20
Routers and ACLs
You create and save Pre-Block and Post-Block ACLs in your router configuration. These ACLs must be
extended IP ACLs, either named or numbered. See your router documentation for more information on
creating ACLs.
Enter the names of these ACLs that are already configured on your router in the Pre-Block ACL and
Post-Block ACL fields.
The Pre-Block ACL is mainly used for permitting what you do not want the sensor to ever block. When
a packet is checked against the ACL, the first line that gets matched determines the action. If the first
line matched is a permit line from the Pre-Block ACL, the packet is permitted even though there may be
a deny line (from an automatic block) listed later in the ACL. The Pre-Block ACL can override the deny
lines resulting from the blocks.