The Cisco Intrusion Detection System/Intrusion Prevention System (CIDS/CIPS) instructs controllers
to block certain clients from accessing the wireless network when attacks involving these clients are detected at Layer 3 through Layer 7. This system offers significant network protection by helping to detect, classify, and stop threats including worms, spyware/adware, network viruses, and application abuse. Two methods are available to detect potential attacks:
- IDS sensors
- IDS signatures
IDS sensors can be configured to detect various types of IP-level attacks in the network. When the sensors identify an attack, they can alert the controller to shun the offending client. When a new IDS sensor is added, the IDS sensor should be registered with the controller so that the controller can query the sensor to get the list of shunned clients.
When an IDS sensor detects a suspicious client, it alerts the controller to shun this client. The shun entry is distributed to all controllers within the same mobility group. If the client to be shunned is currently joined to a controller in this mobility group, the anchor controller adds this client to the dynamic exclusion list, and the foreign controller removes the client. The next time that the client tries to connect to a controller, the anchor controller rejects the handoff and informs the foreign controller that the client is being excluded.