Lab 9.5.1 Configuring IP Blocking 

Objectives 

In this lab exercise you will complete the following tasks: 

■ 

Configure your Sensor to perform IP blocking. 

■ 

Create a string match signature with action IP blocking. 

■ 

Trigger the string match signature. 

■ 

View a list of blocked hosts. 

■ 

Remove blocked hosts and networks. 

Visual Objective 

This figure displays the information you will need to complete this lab exercise.  

Pod P

Your Pod

Pod Q

Peer Pod

172.30.1.0/24

e0/1

rP

e0/0

.10P

.1

10.0.P.0 /24

CSPM

10.0.P.3

Host ID = 3, Org ID = P

Host Name = cspmP, 

Org Name = podP

sensorP

.4

.6

idsmP

e0/1

rQ

e0/0

10.0.Q.0 /24

.1

.10Q

.4

.6

sensorQ

idsmQ

CSPM

10.0.Q.3

Host ID = 3, Org ID = Q

Host Name = cspmQ, 

Org Name = podQ

 

A pair of students has been assigned to a pod. Each pod has a complete set of 
equipment to complete the lab exercise. 

Task 1—Configure the Sensor to Perform IP Blocking 

Complete the following steps to configure a sensor to perform IP blocking: 

Step 1 

Select sensorP from the Network Topology Tree (NTT). 

(where P = pod number) 

Step 2 

Select the Blocking tab in the Sensor view panel. 

Step 3 

Select the Blocking Devices tab within the Blocking tab. 

Step 4 

Click Add to open the Blocking Device Properties window and configure the 
properties for IP blocking. 

Step 5 

Enter the following parameters in their respective fields: 

 

9-2 

Cisco Secure Intrusion Detection System 2.1—Lab 9.6.1 

Copyright 



 2001, Cisco Systems, Inc. 

Setting Value 

Telnet IP Address 

10.0.P.1 (where P = pod number) 

Telnet Username 

Leave blank 

Telnet Password 

cisco 

Enable Password 

cisco 

Interface Name 

Ethernet0/1 

Interface Direction 

Inbound 

Note 

Do not add a space between the interface name and the interface number. 

Step 6 

Click OK in the Blocking Device Properties window. 

Step 7 

Click OK in the Sensor view panel to accept your changes. 

Step 8 

Click Save on the top toolbar to save your changes. 

Task 2—Create a String Match Signature with IP Blocking Response 

Complete the following steps to create a string signature that when triggered will 
respond with a block command: 

Step 1 

Select My Signatures from the Sensor Signatures folder. 

Step 2 

Select the Signatures tab in the Signatures view panel. 

Step 3 

Select the String Signatures tab within the Signatures tab. 

Step 4 

Click Add to create a string signature entry. 

Step 5 

Enter the following parameters in their respective fields: 

Setting Value 

String 

blockP (where P = pod number) 

Port 

23 (Telnet) 

Direction 

Keep the default of To 

Occurrences 

Keep the default of 1 

Severity 

Keep the default of High 

Enable 

Keep the default of checked 

Actions Select 

Block only, and deselect TCP Reset 

and IP Log 

Comment 

string match for block 

 

Step 6 

Click OK in the Signatures view panel to accept your changes. 

Step 7 

Click Update on the toolbar to save your changes and update the configuration 
files. 

Step 8 

Click Continue in the Save Template window. 

Step 9 

Select sensorP from the NTT. 

(where P = pod number) 

 

Copyright 



 2001, Cisco Systems, Inc. 

Cisco Secure Intrusion Detection System 2.1—Lab 9.6.1 

9-3 

Step 10 

Select the Command tab in the Sensor view panel. 

Step 11 

Click the Approve Now button in the Command Approval section. Wait for the 
configuration files to be downloaded to the Sensor. 

Step 12 

After you get an Upload completed message in the Status section, proceed to the 
next task. 

Task 3—Trigger the String Match Signature 

Complete the following steps to trigger the string signature: 

Step 1 

From your own CSPM host, telnet to your peer’s router as assigned by the 
instructor and log on with the password cisco. 

Step 2 

At the router prompt, enter the following: 

r0> blockQ 

(where Q = peer’s pod number) 

Your peer’s Event Viewer displays the new alarm and your session is blocked. 
Your session will hang and no input is allowed. 

Note 

The block may take a few seconds to occur. 

Step 3 

To get out of the hung connection, close your Telnet client. 

Step 4 

Attempt to telnet to your peer’s router to confirm the block was successful. 

 

Task 4—Perform a manual block 

Complete the following steps to perform a manual block on a network as assigned 
by the instructor. 

Step 1 

Choose Actions>Block >Network from the Event Viewer menu. The Shunning 
of Hosts window opens, showing the status of the block command. 

Task 5—View a List of Blocked Hosts 

Complete the following steps to view a list of block hosts: 

Step 1 

After your peer triggers your string match signature, go to your Event Viewer and 
select the alarm that was triggered. 

Step 2 

Choose View>Block List from the Event Viewer menu. The Shun List window 
opens. 

Q 1)  What are the IP addresses of the hosts or network address being blocked? 

A)  

Q 2)  How much time is remaining before the block will be automatically removed for 

each host or network? 

A) 

 

Step 3 

Click OK to close the window. 

 

9-4 

Cisco Secure Intrusion Detection System 2.1—Lab 9.6.1 

Copyright 



 2001, Cisco Systems, Inc. 

 

 

Task 6—Remove the block 

Complete the following steps to remove the block on all hosts. 

Step 1 

Choose Actions>Remove Block >All from the Event Viewer menu. The 
Removing Shun of Hosts window opens. 

Step 2 

Click OK to close the window.