Re: CBAC Studies from Piotr Matusiak on 2011-09-15 (Ccielab archives 09/2011)

From: Piotr Matusiak <pitt2k_at_gmail.com>
Date: Thu, 15 Sep 2011 08:27:19 +0200

Hi Jazz,

Here's what you're looking for:

"When your router's DoS counters exceed the default or configured values,
the router will reset one old half-open connection for every new connection
that exceeds the configured max-incomplete or one-minute high values, until
the number of half-open sessions drops below the max-incomplete low values."

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_
white_paper0900aecd8055e6ac.html

You cannot change this behavior.

Regards,

--
Piotr Matusiak
CCIE #19860 (R&S, Security), CCSI #33705
Technical Instructor
website: www.MicronicsTraining.com
blog: www.ccie1.com
If you can't explain it simply, you don't understand it well enough -
Albert Einstein
2011/9/15 Jazz Sunn <jazzsunn_at_gmail.com>
> Hello experts,
>
> I can use <ip tcp intercept> for several configuration features, and CBAC's
> ip inspect has what appears to be some of the same features, but the
> command
> <ip tcp intercept drop-mode> lets me choose to drop oldest or random, and I
> can't seem to find an explaination as to why I don't have the same option
> with <ip inspect> commands. Is it that there is no configuration
> adjustments
> available on how CBAC decides to drop half open connections, or am I
> missing
> how to configure it?
>
> For instance, if I were to configure ip tcp intercept, I might use the
> following config:
> <code>
> access-list 101 permit ip any host 10.1.12.1
> ip tcp intercept list 101
> ip tcp intercept mode intercept
> ip tcp intercept connection-timeout 5
> ip tcp intercept max-incomplete low 5 high 10
> ip tcp intercept one-minute low 10 high 20
> ip tcp intercept drop-mode oldest
> </code>
>
> If I were to create a similar config with ip inspect, I might use the
> following
> <code>
> ip inspect name CBAC tcp
> ip inspect name CBAC udp
> ip inspect name CBAC icmp
> ip inspect tcp synwait-time 5
> ip inspect max-incomplete low 5
> ip inspect max-incomplete high 10
> ip inspect one-minute low 10
> ip inspect one-minute high 20
> </code>
>
> Again, I don't see how I would configure a drop mode with ip inspect.
>
> Thanks in advance for any help!
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net

Received on Thu Sep 15 2011 - 08:27:19 ART

This archive was generated by hypermail 2.2.0 : Sat Oct 01 2011 - 07:26:25 ART