Configure Shunning on the PIX Security Appliance
Overview of shunning

The shun feature of the PIX Security Appliance allows a PIX, when combined with a Cisco IDS Sensor, to dynamically respond to an attacking host by preventing new connections and disallowing packets from any existing connection. A Cisco IDS device instructs the PIX to shun sources of traffic when those sources of traffic are determined to be malicious.

The shun command, intended for use primarily by a Cisco IDS device, applies a blocking function to an interface receiving an attack. The shun command is not interface specific. Traffic from the specified source address is dropped no matter which interface it arrives on. Packets containing the IP source address of the attacking host are dropped and logged until the blocking function is removed manually or by the Cisco IDS master unit. No traffic from the IP source address is allowed to traverse the PIX Security Appliance, and any remaining connections time out as part of the normal architecture. The blocking function of the shun command is applied whether or not a connection with the specified host address is currently active.

The offending host can be inside or outside of a network protected by the PIX Security Appliance. If the shun command is used only with the source IP address of the host, no further traffic from the offending host is allowed.

The show shun command displays all shuns currently enabled in the exact format specified. The no form of the shun command disables a shun based on the IP source address.