Permitting Or Denying Application Types With Pisa Integration - Cisco 7604 Configuration Manual
Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs
Also See for 7604:
- Configuration manual (1011 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Chapter 21
Configuring Advanced Connection Features
Permitting or Denying Application Types with PISA Integration
where policy_map_name is the policy map you configured in
Step
2. To apply the policy map to traffic
on all the interfaces, use the global keyword. To apply the policy map to traffic on a specific interface,
use the interface interface_name option, where interface_name is the name assigned to the interface
with the nameif command.
Only one global policy is allowed. You can override the global policy on an interface by applying a
service policy to that interface. You can only apply one policy map to each interface.
The following example sets the maximum TCP and UDP connections to 5000, the maximum connections
per second to 500, and sets the maximum embryonic timeout to 40 seconds, the half-closed timeout to
20 minutes, and the idle timeout to 2 hours for traffic going to 10.1.1.1:
hostname(config)# access-list CONNS permit ip any host 10.1.1.1
hostname(config)# class-map conns
hostname(config-cmap)# match access-list CONNS
hostname(config-cmap)# policy-map conns
hostname(config-pmap)# class conns
hostname(config-pmap-c)# set connection conn-max 5000 conn-rate-limit 500
hostname(config-pmap-c)# set connection timeout embryonic 0:0:40 half-closed 0:20:0
hostname(config-pmap-c)# set connection timeout idle 2:0:0
hostname(config-pmap-c)# service-policy conns interface outside
You can enter set connection commands with multiple parameters or you can enter each parameter as a
separate command. The FWSM combines the commands into one line in the running configuration. For
example, if you entered the following two commands in class configuration mode:
hostname(config-pmap-c)# set connection timeout embryonic 0:0:40
hostname(config-pmap-c)# set connection timeout half-closed 0:20:0
the output of the show running-config policy-map command would display the result of the two
commands in a single, combined command:
set connection timeout embryonic 0:0:40 half-closed 0:20:0
Permitting or Denying Application Types with PISA Integration
This feature depends on Cisco IOS Release 12.2(18)ZYA or later, and is only available on the Catalyst
Note
6500 switch.
The Programmable Intelligent Services Accelerator (PISA) on the switch supervisor can quickly
determine the application type of a given flow by performing deep packet inspection. This determination
can be made even if the traffic is not using standard ports. The FWSM can leverage the high-performance
deep packet inspection of the PISA card so that it can permit or deny traffic based on the application
type. Unlike the FWSM inspection feature, which passes through the control plane path, traffic that the
PISA tags can pass through the FWSM accelerated path. Another benefit of FWSM and PISA integration
is to consolidate your security configuration on a single FWSM instead of having to configure multiple
upstream switches with PISAs installed.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
21-4
OL-20748-01
- Quick Links:
- C H a P T E...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
