The Cisco Intrusion Detection System/Intrusion Prevention System (CIDS/CIPS) instructs switches
to block certain clients from accessing the wireless network when attacks involving these clients are detected at Layer 3 through Layer 7. This system offers significant network protection by helping to detect, classify, and stop threats including worms, spyware/adware, network viruses, and application abuse. Two methods are available to detect potential attacks:
- IDS sensors
- IDS signatures
IDS sensors can be configured to detect various types of IP-level attacks in the network. When the sensors identify an attack, they can alert the switch to shun the offending client. When a new IDS sensor is added, the IDS sensor should be registered with the switch so that the switch can query the sensor to get the list of shunned clients.
When an IDS sensor detects a suspicious client, it alerts the switch to shun this client. The shun entry is distributed to all switches within the same mobility group. If the client to be shunned is currently joined to a switch in this mobility group, the anchor switch adds this client to the dynamic exclusion list, and the foreign switch removes the client. The next time that the client tries to connect to a switch, the anchor switch rejects the handoff and informs the foreign switch that the client is being excluded.