Table of Contents
Advertisement
Using Cisco IOS ACLs in your Network
Reflexive ACLs
ICMP packets are handled in the software. For TCP/UDP flows, once the flow is established, they are
handled in hardware. Note that when reflexive ACLs are applied, the flow mask is changed to VLAN-full
flow.
TCP Intercept
The TCP intercept feature implements software to protect TCP servers from TCP SYN-flooding attacks,
which are a type of denial-of-service attack. The TCP intercept feature helps prevent SYN-flooding
attacks by intercepting and validating TCP connection requests. In intercept mode, the TCP intercept
software intercepts TCP synchronization (SYN) packets from clients to servers that match an extended
access list. The software establishes a connection with the client on behalf of the destination server, and
if successful, establishes the connection with the server on behalf of the client and binds the two
half-connections together transparently. This process ensures that connection attempts from unreachable
hosts never reach the server. The software continues to intercept and forward packets throughout the
duration of the connection.
The hardware support for TCP intercept on a PFC2 is as follows:
1.
2.
3.
Policy Routing
Policy routing-required flows are handled in hardware or software depending on the route map. If the
route map contains only a "match ip address" and the "set" clause contains the "next hop" and the next
hop is reachable, then the packet is forwarded in hardware. When a route map contains multiple "match"
clauses, all conditions imposed by these match clauses must be met before a packet is policy routed.
However, for route maps containing both a match ip address and match length, all traffic matching the
ACL in the match ip address clause is forwarded to the software regardless of the match length criteria.
For route maps that only contain match length clauses, all packets received on the interface are
forwarded to the software.
Note
The mls ip pbr command is not required (and not supported) on PFC2.
WCCP
HTTP requests subject to WCCP redirection are handled in the software; HTTP replies from the server
and the Cache Engine are handled in the hardware.
Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4
16-14
Once the TCP intercept feature has been configured, all TCP SYN packets matching the ACEs with
a permit clause in the TCP intercept ACL and which are permitted by the security ACL are sent to
the software to apply the TCP intercept functionality. This process occurs even if the security ACL
does not have the SYN flag specified.
If a connection is established successfully, the following applies:
If the TCP intercept is using intercept mode with timeout, all traffic belonging to the given
a.
connection/flow is handled in the software.
For other modes of TCP intercept, once the connection is successfully established, the software
b.
installs a hardware shortcut to switch the rest of the flow in the hardware.
If a connection is not established successfully, there cannot be any other traffic belonging to that
flow.
Chapter 16
Configuring Access Control
78-13315-02
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
