Chapter 23 Configuring Network Security
Configuring TCP Intercept
These restrictions apply to VACL logging:
•Supported only with Supervisor Engine 2.
•Because of the
•Only denied IP packets are logged.
To configure VACL logging, use the action drop log command action in VLAN access map submode (see the “Configuring VACLs” section on page
| Command | Purpose |
Step 1 |
|
|
Router(config)# vlan | Sets the log table size. The content of the log table can be | |
| max_number | deleted by setting the maxflow number to 0. The default |
|
| is 500 with a valid range of 0 to 2048. When the log table |
|
| is full, logged packets from new flows are dropped by the |
|
| software. |
Step 2 |
|
|
Router(config)# vlan | Sets the maximum redirect VACL logging packet rate. | |
|
| The default packet rate is 2000 packets per second with a |
|
| valid range of 0 to 5000. Packets exceeding the limit are |
|
| dropped by the hardware. |
Step 3 |
|
|
Router(config)# vlan | Sets the logging threshold. A logging message is generated | |
| pkt_count | if the threshold for a flow is reached before the |
|
| interval. By default, no threshold is set. |
Step 4 |
|
|
Router(config)# exit | Exits VLAN access map configuration mode. | |
Step 5 |
|
|
Router# show vlan | (Optional) Displays the configured VACL logging | |
|
| properties. |
Step 6 |
|
|
Router# show vlan | (Optional) Displays the content of the VACL log table. | |
| {{src_addr src_mask} any {host {hostname |
|
| host_ip}}} {{dst_addr dst_mask} any {host |
|
| {hostname host_ip}}} |
|
| [vlan vlan_id] |
|
Step 7 |
|
|
Router# show vlan | (Optional) Displays packet and message counts and other | |
|
| statistics. |
|
|
|
This example shows how to configure global VACL logging in hardware:
Router(config)# vlan
Router(config)# vlan
Router(config)# vlan
Configuring TCP Intercept
With Supervisor Engine 2 and PFC2, TCP intercept flows are processed in hardware.
With Supervisor Engine 1 and PFC, TCP intercept flows are processed in software.
For configuration procedures, refer to the Cisco IOS Security Configuration Guide, Release 12.1, “Traffic Filtering and Firewalls,” “Configuring TCP Intercept,” at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt3/scddenl.htm
| Cisco 7600 Series Router Cisco IOS Software Configuration |
|