Table of Contents
Advertisement
cops tcp window-size
For additional information, refer to the following document on Cisco.com:
•
Reflexive Access Lists
Reflexive access lists allow IP packets to be filtered based on upper-layer session information. You can
use reflexive access lists to permit IP traffic for sessions originating from within your network but to
deny IP traffic for sessions originating from outside your network. This is accomplished by reflexive
filtering, a kind of session filtering.
Reflexive access lists can be defined with extended named IP access lists only. You cannot define reflexive
access lists with numbered or standard named IP access lists or with other protocol access lists.You can use
reflexive access lists in conjunction with other standard access lists and static extended access lists.
Reflexive access lists are an important part of securing your network against network hackers, and can
be included in a firewall defense. Reflexive access lists provide a level of security against spoofing and
certain denial-of-service attacks. Reflexive access lists are simple to use, and, compared to basic access
lists, provide greater control over which packets enter your network.
For additional information, refer to the following document on Cisco.com:
•
Secure Shell (SSH) Supported in "k1" Images for Cisco uBR7200
In Cisco IOS Release 12.1 T, the definition of "k1" images for Cisco uBR924 cable access routers was
changed from support for BPI only, to also include support for Secure Shell (SSH). This change caused
an inconsistency with Cisco uBR7200 series images, since the definition of "k1" for the Cisco uBR7200
was not changed and did not include SSH.
Cisco uBR7200 series universal broadband routers support the Cisco IOS Firewall feature. This feature set
offers Network Address Translation (NAT) and is designed to prevent unauthorized, external access to your
internal network, blocking attacks on your network, while still allowing authorized users to access network
resources. This feature is described in detail in the
Turbo Access Control Lists
The Turbo Access Control List (ACL) feature processes access lists more expediently, providing faster
functionality for routers equipped with the feature. ACLs are normally searched sequentially to find a
matching rule, and ACLs are ordered specifically to take this factor into account. Because of the increasing
needs and requirements for security filtering and packet classification, ACLs can expand to the point that
searching the ACL adds a significant amount of time and memory when packets are being forwarded.
Moreover, the time taken by the router to search the list is not always consistent, adding a variable latency to
the packet forwarding. A high CPU load is necessary for searching an ACL with several entries.
The Turbo ACL feature compiles the ACLs into a set of lookup tables, while maintaining the first match
requirements. Packet headers are used to access these tables in a small, fixed number of lookups,
independently of the existing number of ACL entries. The benefits of this feature include:
•
Cisco uBR7200 Series Universal Broadband Router Software Configuration Guide
1-108
"Telco Return for the Cisco Cable Modem Termination System"
Termination System Feature Guide
http://www.cisco.com/en/US/docs/cable/cmts/feature/guide/cmtsfg.html
Configuring IP Session Filtering (Reflexive Access Lists)
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfreflx.html
For ACLs larger than 3 entries, the CPU load required to match the packet to the pre-determined
packet-matching rule is lessened. The CPU load is fixed, regardless of the size of the ACL, allowing for
larger ACLs without incurring any CPU overhead penalties. The larger the ACL, the greater the benefit.
Chapter 1
Overview of Cisco uBR7200 Series Software
chapter in the
Cisco IOS Firewall
web page on Cisco.com.
Cisco Cable Modem
OL-2239-05
- Quick Links:
- Docsis 2.0 Feature Support
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
