Filter
Top Products
14-22
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting
Configuring Blocking and Rate Limiting Devices
The ARC uses ACLs on Cisco routers and switches to manage those devices. These ACLs are built as
follows:
1. A permit line with the sensor IP address or, if specified, the NAT address of the sensor.
Note If you permit the sensor to be blocked, this line does not appear in the ACL.
2. Pre-Block ACL (if specified). This ACL must already exist on the device.
Note The ARC reads the lines in the ACL and copies these lines to the beginning of the ACL.
3. Any active blocks.
4. Either specify a Post-Block ACL, which must already exist on the device, or specify permit ip any
any (do not use if a Post-Block ACL is specified). The ARC reads the lines in the ACL and copies
these lines to the end of the ACL.
Note Make sure the last line in the ACL is permit ip any any if you want all unmatched packets
to be permitted.
The ARC uses two ACLs to manage devices. Only one is active at any one time. It uses the offline ACL
name to build the new ACL, then applies it to the interface. The ARC then reverses the process on the
next cycle.
Caution The ACLs that the ARC makes should never be modified by you or any other system. These ACLs are
temporary and new ACLs are constantly being created by the sensor. The only modifications that you
can make are to the Pre- and Post-Block ACLs.
If you need to modify the Pre-Block or Post-Block ACL, do the following:
1. Disable blocking on the sensor.
2. Make the changes to the configuration of the device.
3. Reenable blocking on the sensor.
When blocking is reenabled, the sensor reads the new device configuration.
Caution A single sensor can manage multiple devices, but you cannot use multiple sensors to control a single
device. In this case, use a master blocking sensor.
For More Information
• For the procedure for enabling blocking, see Configuring Blocking Properties, page 14-7.
• For the procedure for configuring the sensor to be a master blocking sensor, see Configuring the
Sensor to be a Master Blocking Sensor, page 14-28.