Filter
Top Products
A-19
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Appendix A System Architecture
MainApp
Blocking with Catalyst Switches
Catalyst switches with a PFC filter packets using VACLs. VACLs filter all packets between VLANs and
within a VLAN. MSFC router ACLs are supported when WAN cards are installed and you want the
sensor to control the interfaces through the MSFC2.
Note An MSFC2 card is not a required part of a Catalyst switch configuration for blocking with VACLs.
Caution When you configure the ARC for the Catalyst switch, do not specify a direction with the controlled
interface. The interface name is a VLAN number. Preblock and postblock lists should be VACLs.
The following commands apply to the Catalyst VACLs:
• To view an existing VACL:
show security acl info acl_name
• To block an address (address_spec is the same as used by router ACLs):
set security acl ip acl_name deny address_spec
• To activate VACLs after building the lists:
commit security acl all
• To clear a single VACL:
clear security acl map acl_name
• To clear all VACLs:
clear security acl map all
• To map a VACL to a VLAN:
set sec acl acl_name vlans
Logger
The sensor logs all events (alert, error, status, and debug messages) in a persistent, circular buffer. The
sensor also generates IP logs. The messages and IP logs are accessible through the CLI, IDM, and
ASDM.
The IPS applications use the Logger to log messages. The Logger sends log messages at any of five levels
of severity: debug, timing, warning, error, and fatal. The Logger writes the log messages to
/usr/cids/idsRoot/log/main.log, which is a circular text file. New messages overwrite older messages
when the file reaches its maximum size; therefore the last message written may not appear at the end of
the main.log. Search for the string “= END OF FILE =” to locate the last line written to the main.log.
The main.log is included in the show tech-support command output. If the message is logged at warning
level or above (error or fatal), the Logger converts the message to an evError event (with the
corresponding error severity) and inserts it in the Event Store.
The Logger receives all syslog messages, except cron messages, that are at the level of informational and
above (*.info;cron.none), and inserts them in to the Event Store as evErrors with the error severity set to
Warning. The Logger and application logging are controlled through the service logger commands.