Cisco Systems 7600 SERIES Configuring TCP Intercept

23-18

Cisco7600 Series Router Cisco IOS Software Configuration Guide—12.1E

78-14064-04

Chapter23 Con figuring Network Security

Configuring TCP Intercept

These restrictions apply to VACL logging:

•Supported only with Supervisor Engine 2.

•Because of the rate-limiting function for redirected packets, VACL logging counters may not be

accurate.

•Only denied IP packets are logged.

To configure VACL logging, use the action drop log command action in VLAN access map submode

(see the “Configuring VACLs” section on page 23-11 for configuration information) and perform this

task in global configuration mode to specify the global VACL logging parameters:

This example shows how to configure global VACL logging in hardware:

Router(config)# vlan access-log maxflow 800

Router(config)# vlan access-log ratelimit 2200

Router(config)# vlan access-log threshold 4000

Configuring TCP Intercept

With Supervisor Engine 2 and PFC2, TCP intercept flows are processed in hardware.

With Supervisor Engine 1 and PFC, TCP intercept flows are processed in software.

For configuration procedures, refer to the Cisco IOS Security Configuration Guide, Release 12.1,

“Traffic Filtering and Firewalls,” “Configuring TCP Intercept,” at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt3/scddenl.htm

Command Purpose

Step1 Router(config)# vlan access-log maxflow

max_number

Sets the log table size. The content of the log table can be

deleted by setting the maxflow number to 0. The default

is 500 with a valid range of 0 to 2048. When the log table

is full, logged packets from new flows are dropped by the

software.

Step2 Router(config)# vlan access-log ratelimit pps Sets the maximum redirect VACL logging packet rate.

The default packet rate is 2000 packets per second with a

valid range of 0 to 5000. Packets exceeding the limit are

dropped by the hardware.

Step3 Router(config)# vlan access-log threshold

pkt_count

Sets the logging threshold. A logging message is generated

if the threshold for a flow is reached before the 5-minute

interval. By default, no threshold is set.

Step4 Router(config)# exit Exits VLAN access map configuration mode.

Step5 Router# show vlan access-log config (Optional) Displays the configured VACL logging

properties.

Step6 Router# show vlan access-log flow protocol

{{src_addr src_mask} | any | {host {hostname |

host_ip}}} {{dst_addr dst_mask} | any | {host

{hostname | host_ip}}}

[vlan vlan_id]

(Optional) Displays the content of the VACL log table.

Step7 Router# show vlan access-log statistics (Optional) Displays packet and message counts and other

statistics.