ØNeighbor router authentication
ØEven logging
CBAC uses timeout and thresholds to determine how long to manage information for a session and when to drop the session that connects is failed. CBAC is only check with TCP and UDP but not ICMP. The following example is showing the user how to configure CBAC.
ip inspect alert-off – disable alert
ip audit-trail– enable the logging of session information
ip dns-timeout– specify timeout for DNS
ip hashtable-size– specify size of hashtable
ip max-incomplete [low high] – specify the number of incomplete connection before clamping
ip one-minute [low high] – specify the rate of new unestablished TCP session that will cause the software to stop/start deleting half-open session
ip inspect udp idle-time– specify the idle timeout for udp
ip inspect tcp [finwait-time idle-time max-incomplete synwait-time] – configure timeout value
for tcp connections
-finwait-time– specify timeout for TCP connections after firewall detect a FIN exchange
-idle-time– specify the TCP connection idle-timeout
-max-incomplete host half-open session block-time- specify max half-open connection per host
-synwait-time– specify the timeout for TCP connects after SYN
ip inspect name name of inspect [protocol] timeout – configure CBAC inspection protocol eg tcp, http, udp, smtp and more.
show ip inspect all – show all CBAC configuration and all existing session
show ip inspect config – show the complete CBAC inspection configuration
show ip inspect name inspect name –show a particular inspection rule