Cisco Systems 7600 SERIES manual Configuring TCP Intercept, 23-18

Page 18

Chapter 23 Configuring Network Security

Configuring TCP Intercept

These restrictions apply to VACL logging:

Supported only with Supervisor Engine 2.

Because of the rate-limiting function for redirected packets, VACL logging counters may not be accurate.

Only denied IP packets are logged.

To configure VACL logging, use the action drop log command action in VLAN access map submode (see the “Configuring VACLs” section on page 23-11for configuration information) and perform this task in global configuration mode to specify the global VACL logging parameters:

 

Command

Purpose

Step 1

 

 

Router(config)# vlan access-log maxflow

Sets the log table size. The content of the log table can be

 

max_number

deleted by setting the maxflow number to 0. The default

 

 

is 500 with a valid range of 0 to 2048. When the log table

 

 

is full, logged packets from new flows are dropped by the

 

 

software.

Step 2

 

 

Router(config)# vlan access-log ratelimit pps

Sets the maximum redirect VACL logging packet rate.

 

 

The default packet rate is 2000 packets per second with a

 

 

valid range of 0 to 5000. Packets exceeding the limit are

 

 

dropped by the hardware.

Step 3

 

 

Router(config)# vlan access-log threshold

Sets the logging threshold. A logging message is generated

 

pkt_count

if the threshold for a flow is reached before the 5-minute

 

 

interval. By default, no threshold is set.

Step 4

 

 

Router(config)# exit

Exits VLAN access map configuration mode.

Step 5

 

 

Router# show vlan access-log config

(Optional) Displays the configured VACL logging

 

 

properties.

Step 6

 

 

Router# show vlan access-log flow protocol

(Optional) Displays the content of the VACL log table.

 

{{src_addr src_mask} any {host {hostname

 

 

host_ip}}} {{dst_addr dst_mask} any {host

 

 

{hostname host_ip}}}

 

 

[vlan vlan_id]

 

Step 7

 

 

Router# show vlan access-log statistics

(Optional) Displays packet and message counts and other

 

 

statistics.

 

 

 

This example shows how to configure global VACL logging in hardware:

Router(config)# vlan access-log maxflow 800

Router(config)# vlan access-log ratelimit 2200

Router(config)# vlan access-log threshold 4000

Configuring TCP Intercept

With Supervisor Engine 2 and PFC2, TCP intercept flows are processed in hardware.

With Supervisor Engine 1 and PFC, TCP intercept flows are processed in software.

For configuration procedures, refer to the Cisco IOS Security Configuration Guide, Release 12.1, “Traffic Filtering and Firewalls,” “Configuring TCP Intercept,” at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt3/scddenl.htm

 

Cisco 7600 Series Router Cisco IOS Software Configuration Guide—12.1E

23-18

78-14064-04

Image 18
Contents ACL Configuration Guidelines This chapter consists of these sections23-1 Hardware and Software ACL Support 23-2Determining Layer 4 Operation Usage 23-3More detailed example follows Configuring the Cisco IOS Firewall Feature SetDetermining Logical Operation Unit Usage 23-4Cisco IOS Firewall Feature Set Support Overview 23-5Restrictions Firewall Configuration Guidelines and RestrictionsConfiguring Cbac on Cisco 7600 Series Routers GuidelinesConfiguring MAC Address-Based Traffic Blocking 23-7Vacl Overview Configuring Vlan ACLsUnderstanding VACLs 23-8Same interface VACLs and Cbac cannot be configured on the same interfaceBridged Packets Igmp packets are not checked against VACLsRouted Packets 23-10Multicast Packets Configuring VACLsThese sections describe configuring VACLs 23-11To define a Vlan access map, perform this task Vacl Configuration OverviewDefining a Vlan Access Map 23-12Deletes the match clause in a Vlan access map sequence Configuring a Match Clause in a Vlan Access Map SequenceConfigures the match clause in a Vlan access map sequence 23-13Configuring an Action Clause in a Vlan Access Map Sequence Applying a Vlan Access Map23-14 Verifying Vlan Access Map Configuration Vlan Access Map Configuration and Verification Examples23-15 Configuring a Capture Port 23-16Configuring Vacl Logging 23-17Configuring TCP Intercept 23-18Understanding Unicast RPF Support Configuring Unicast Reverse Path ForwardingConfiguring Unicast RPF Enabling Self-PingingConfiguring the Unicast RPF Checking Mode 23-20Configuring Unicast Flood Protection This example shows how to verify the configuration23-21 Configuring MAC Move Notification 23-2223-23 23-24
Related manuals
Manual 74 pages 38.06 Kb