Hello experts,
I can use <ip tcp intercept> for several configuration features, and CBAC's
ip inspect has what appears to be some of the same features, but the command
<ip tcp intercept drop-mode> lets me choose to drop oldest or random, and I
can't seem to find an explaination as to why I don't have the same option
with <ip inspect> commands. Is it that there is no configuration adjustments
available on how CBAC decides to drop half open connections, or am I missing
how to configure it?
For instance, if I were to configure ip tcp intercept, I might use the
following config:
<code>
access-list 101 permit ip any host 10.1.12.1
ip tcp intercept list 101
ip tcp intercept mode intercept
ip tcp intercept connection-timeout 5
ip tcp intercept max-incomplete low 5 high 10
ip tcp intercept one-minute low 10 high 20
ip tcp intercept drop-mode oldest
</code>
If I were to create a similar config with ip inspect, I might use the
following
<code>
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC icmp
ip inspect tcp synwait-time 5
ip inspect max-incomplete low 5
ip inspect max-incomplete high 10
ip inspect one-minute low 10
ip inspect one-minute high 20
</code>
Again, I don't see how I would configure a drop mode with ip inspect.
Thanks in advance for any help!
Blogs and organic groups at http://www.ccie.net
Received on Wed Sep 14 2011 - 18:13:29 ART
This archive was generated by hypermail 2.2.0 : Sat Oct 01 2011 - 07:26:25 ART