Blocking With Catalyst Switches; Logapp - Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual

Appendix A System Architecture

Blocking with Catalyst Switches

Catalyst switches with a PFC filter packets using VACLs. VACLs filter all packets between VLANs and
within a VLAN.
MSFC router ACLs are supported when WAN cards are installed and you want the sensor to control the
interfaces through the MSFC2.
An MSFC2 card is not a required part of a Catalyst switch configuration for blocking with VACLs.
Note
When you configure Network Access Controller for the Catalyst switch, do not specify a direction with
Caution
the controlled interface. The interface name is a VLAN number. Preblock and postblock lists should be
VACLs.
The following commands apply to the Catalyst VACLs:
•
•
•
•
•
•
For more information, see

LogApp

The sensor logs all events (alert, error, status, and debug messages) in a persistent, circular buffer. The
sensor also generates IP logs. The messages and IP logs are accessible through the CLI, IDM, ASDM,
and RDEP clients.
The IPS applications use LogApp to log messages. LogApp sends log messages at any of five levels of
severity: debug, timing, warning, error, and fatal. LogApp writes the log messages to
/usr/cids/idsRoot/log/main.log, which is a circular text file. New messages overwrite older messages
when the file reaches its maximum size, therefore the last message written may not appear at the end of
the main.log. Search for the string "= END OF FILE =" to locate the last line written to the main.log.
The main.log is included in the show tech-support command output. If the message is logged at warning
level or above (error or fatal), LogApp converts the message to an evError event (with the corresponding
error severity) and inserts it in Event Store.
78-16527-01
To view an existing VACL:
show security acl info
To block an address (address_spec is the same as used by router ACLs):
acl_name
set security acl ip
To activate VACLs after building the lists:
commit security acl all
To clear a single VACL:
clear security acl map
To clear all VACLs:
clear security acl map all
To map a VACL to a VLAN:
acl_name vlans
set sec acl
Supported Blocking Devices, page
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
acl_name
address_spec
deny
acl_name
10-3.
MainApp
A-19