How it Works
Cisco Systems
Loading...
7600
User Manual
74 pgs825.4 Kb0
User Manual 3
70 pgs2.79 Mb0
User Manual 2
24 pgs382.1 Kb0
User Manual
8 pgs169.94 Kb0
User Manual
28 pgs230.06 Kb0
User Manual 2
10 pgs204.73 Kb0
User Manual
56 pgs463.47 Kb0
User Manual
12 pgs282.73 Kb0
User Manual
5 pgs785.2 Kb0
User Manual
7 pgs219.54 Kb0
User Manual
20 pgs653.48 Kb0
User Manual
14 pgs160.97 Kb0
Table of contents
Loading...

Cisco Systems 7600 User Manual 2

CHA PTER
23
Configuring Network Security
This chapter contains network security information unique to the Cisco 7600 series routers, which supplements the network security information and procedures in these publications:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/index.htm
Cisco IOS Security Command Reference, Release 12.1, at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_r/index.htm
This chapter consists of these sections:
ACL Configuration Guidelines, page 23-1
Hardware and Software ACL Support, page 23-2
Guidelines and Restrictions for Using Layer 4 Operators in ACLs, page 23-3
Configuring the Cisco IOS Firewall Feature Set, page 23-4
Configuring MAC Address-Based Traffic Blocking, page 23-7
Configuring VLAN ACLs, page 23-8
Configuring TCP Intercept, page 23-18
Configuring Unicast Reverse Path Forwarding, page 23-19
Configuring Unicast Flood Protection, page 23-21
Configuring MAC Move Notification, page 23-22
Note With Releases 12.1(11b)E and later releases, when you are in configuration mode you can enter EXEC
mode-level commands by entering the do keyword before the EXEC mode-level command.

ACL Configuration Guidelines

The following guidelines apply to ACL configurations:
Each type of ACL (IP, IPX, and MAC) filters only traffic of the corresponding type. A MAC ACL
never matches IP or IPX traffic.
By default, the MSFC sends Internet Control Message Protocol (ICMP) unreachable messages when
a packet is denied by an access group.
Cisco 7600 Series Router Cisco IOS Software Configuration Guide—12.1E
78-14064-04
23-1

Hardware and Software ACL Support

With the ip unreachables command enabled (which is the default), a Supervisor Engine 2 drops most of the denied packets in hardware and sends only a small number of packets to the MSFC2 to be dropped (10 packets per second, maximum) , which generates ICMP-unreachable messages.
With the ip unreachables command enabled, a Supervisor Engine 1 sends all the denied packets to the MSFC to be dropped, which generates ICMP-unreachable messages. With a Supervisor Engine 1, to drop access list-denied packets in hardware, you must disable ICMP-unreachable messages using the no ip unreachables interface configuration command.
To eliminate the load imposed on the MSFC CPU by the task of dropping denied packets and generating ICMP-unreachable messages, do the following:
With Supervisor Engine 1, enter the no ip unreachables interface configuration command.
With Supervisor Engine 2, enter the no ip unreachables and the no ip redirects interface configuration commands. (CSCdr33918)
ICMP unreachable messages are not sent if a packet is denied by a VACL.
Hardware and Software ACL Support
Chapter 23 Configuring Network Security
Access control lists (ACLs) can be processed in hardware by the Policy Feature Card (PFC or PFC2), the Distributed Forwarding Card (DFC), or in software by the Multilayer Switch Feature Card (MSFC or MSFC2). The following behavior describes software and hardware handling of ACLs:
ACL flows that match a “deny” statement in standard and extended ACLs (input and output) are
dropped in hardware if “ip unreachables” is disabled.
ACL flows that match a “permit” statement in standard and extended ACLs (input and output) are
processed in hardware.
VLAN ACL (VACL) flows are processed in hardware. If a field specified in a VACL is not supported
by hardware processing that field is ignored (for example, the log keyword in an ACL) or the whole configuration is rejected (for example, a VACL containing unsupported IPX ACL parameters).
VACL logging is processed in software.
Dynamic ACL flows are processed in the hardware; however, idle timeout is processed in software.
IP accounting for an ACL access violation on a given port is supported by forwarding all denied
packets for that port to the MSFC for software processing without impacting other flows.
Extended name-based MAC address ACLs are supported in hardware.
The following ACL types are processed in software:
Standard XNS access list
Extended XNS access list
DECnet access list
Internetwork Packet Exchange (IPX) access lists
23-2
Extended MAC address access list
Protocol type-code access list
Note IP packets with a header length of less than five will not be access controlled.
Cisco 7600 Series Router Cisco IOS Software Configuration Guide—12.1E
78-14064-04
Chapter 23 Configuring Network Security

Guidelines and Restrictions for Using Layer 4 Operators in ACLs

Flows that require logging are processed in software without impacting nonlogged flow processing
in hardware.
The forwarding rate for software-processed flows is substantially less than for hardware-processed
flows.
When you enter the show ip access-list command, the match count displayed does not include
packets processed in hardware.
Guidelines and Restrictions for Using Layer 4 Operators in ACLs
These sections describe guidelines and restrictions when configuring ACLs that include Layer 4 port operations:
Determining Layer 4 Operation Usage, page 23-3
Determining Logical Operation Unit Usage, page 23-4

Determining Layer 4 Operation Usage

You can specify these types of operations:
gt (greater than)
lt (less than)
neq (not equal)
eq (equal)
range (inclusive range)
We recommend that you do not specify more than nine different operations on the same ACL. If you exceed this number, each new operation might cause the affected ACE to be translated into more than one ACE.
Use the following two guidelines to determine Layer 4 operation usage:
Layer 4 operations are considered different if the operator or the operand differ. For example, in this
ACL there are three different Layer 4 operations (“gt 10” and “gt 11” are considered two different Layer 4 operations):
... gt 10 permit ... lt 9 deny ... gt 11 deny
Note There is no limit to the use of “eq” operators as the “eq” operator does not use a logical
operator unit (LOU) or a Layer 4 operation bit. See the “Determining Logical Operation
Unit Usage” section on page 23-4 for a description of LOUs.
78-14064-04
Layer 4 operations are considered different if the same operator/operand couple applies once to a
source port and once to a destination port. For example, in this ACL there are two different Layer 4 operations because one ACE applies to the source port and one applies to the destination port.
... Src gt 10 ... ... Dst gt 10
Cisco 7600 Series Router Cisco IOS Software Configuration Guide—12.1E
23-3

Configuring the Cisco IOS Firewall Feature Set

Determining Logical Operation Unit Usage

Logical operation units (LOUs) are registers that store operator-operand couples. All ACLs use LOUs. There can be up to 32 LOUs; each LOU can store two different operator-operand couples with the exception of the range operator. LOU usage per Layer 4 operation is as follows:
gt uses 1/2 LOU
lt uses 1/2 LOU
neq uses 1/2 LOU
range uses 1 LOU
eq does not require a LOU
For example, this ACL would use a single LOU to store two different operator-operand couples:
... Src gt 10 ... ... Dst gt 10
A more detailed example follows:
ACL1 ... (dst port) gt 10 permit ... (dst port) lt 9 deny ... (dst port) gt 11 deny ... (dst port) neq 6 permit ... (src port) neq 6 deny ... (dst port) gt 10 deny
Chapter 23 Configuring Network Security
ACL2 ... (dst port) gt 20 deny ... (src port) lt 9 deny ... (src port) range 11 13 deny ... (dst port) neq 6 permit
The Layer 4 operations and LOU usage is as follows:
ACL1 Layer 4 operations: 5
ACL2 Layer 4 operations: 4
LOUs: 4
An explanation of the LOU usage follows:
LOU 1 stores “gt 10” and “lt 9”
LOU 2 stores “gt 11” and “neq 6”
LOU 3 stores “gt 20” (with space for one more)
LOU 4 stores “range 11 13” (range needs the entire LOU)
Configuring the Cisco IOS Firewall Feature Set
Note Release 12.1(11b)E and later releases include firewall feature set images.
23-4
These sections describe configuring the Cisco IOS firewall feature set on the Cisco 7600 series routers:
Cisco IOS Firewall Feature Set Support Overview, page 23-5
Cisco 7600 Series Router Cisco IOS Software Configuration Guide—12.1E
78-14064-04
Chapter 23 Configuring Network Security
Firewall Configuration Guidelines and Restrictions, page 23-6
Configuring CBAC on Cisco 7600 Series Routers, page 23-6

Cisco IOS Firewall Feature Set Support Overview

The firewall feature set images support these Cisco IOS firewall features:
Context-based Access Control (CBAC)
Port-to-Application Mapping (PAM)
Authentication Proxy
These are the firewall feature set image names:
c6sup22-jo3sv-mz
c6sup22-po3sv-mz
c6sup12-jo3sv-mz
c6sup12-po3sv-mz
For more information about Cisco IOS firewall features, refer to the Cisco IOS Security Configuration Guide, Release 12.1, “Traffic Filtering and Firewalls” online publications:
Configuring the Cisco IOS Firewall Feature Set
The “Cisco IOS Firewall Overview” chapter at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt3/scdfirw l.htm
The “Configuring Context-Based Access Control” chapter at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt3/scdcbac .htm
The “Configuring Authentication Proxy” chapter at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt3/scdauth p.htm
Cisco IOS Security Command Reference publication at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_r/index.htm
The following features are supported with and without the use of a Cisco IOS firewall image:
Standard access lists and static extended access lists
Lock-and-key (dynamic access lists)
IP session filtering (reflexive access lists)
TCP intercept
Security server support
Network address translation
Neighbor router authentication
Event logging
78-14064-04
User authentication and authorization
Cisco 7600 Series Router Cisco IOS Software Configuration Guide—12.1E
23-5
Configuring the Cisco IOS Firewall Feature Set
Note Cisco 7600 series routers support the Intrusion Detection System Module (IDSM) (WS-X6381-IDS).
Cisco 7600 series routers do not support the Cisco IOS firewall IDS feature, which is configured with the ip audit command.

Firewall Configuration Guidelines and Restrictions

Follow these guidelines and restrictions when configuring the Cisco IOS firewall features:

Restrictions

On other platforms, if you enter the ip inspect command on a port, CBAC modifies ACLs on other
ports to permit the inspected traffic to flow through the network device. On Cisco 7600 series routers, you must enter the mls ip inspect commands to permit traffic through any ACLs that would deny the traffic through other ports. See the “Configuring CBAC on Cisco 7600 Series Routers”
section on page 23-6.
With Supervisor Engine 2 and PFC2, reflexive ACLs and CBAC have conflicting flow mask
requirements. When you configure CBAC on a switch with Supervisor Engine 2 and PFC2, reflexive ACLs are processed in software on the MSFC2.
Chapter 23 Configuring Network Security
CBAC is incompatible with VACLs. You can configure both CBAC and VACLs on the switch but
not in the same subnet (VLAN) or on the same interface.
Note The Intrusion Detection System Module (IDSM) uses VACLs to select traffic. To use the
IDSM in a subnet where CBAC is configured, enter the mls ip ids acl_name interface command, where acl_name is configured to select traffic for the IDSM.

Guidelines

To inspect Microsoft NetMeeting (2.0 or greater) traffic, turn on both h323 and tcp inspection.
To inspect web traffic, turn on tcp inspection. To avoid reduced performance, do not turn on http
inspection to block Java.
You can configure CBAC on physical ports configured as Layer 3 interfaces and on VLAN
interfaces.
QoS and CBAC do not interact or interfere with each other.

Configuring CBAC on Cisco 7600 Series Routers

You need to do additional CBAC configuration on the Cisco 7600 series routers. On a network device other than a Cisco 7600 series router, when ports are configured to deny traffic, CBAC permits traffic to flow bidirectionally through the port if it is configured with the ip inspect command. The same behavior applies to any other port that the traffic needs to go through, as shown in this example:
Router(config)# ip inspect name permit_ftp ftp Router(config)# interface vlan 100 Router(config-if)# ip inspect permit_ftp in Router(config-if)# ip access-group deny_ftp_a in Router(config-if)# ip access-group deny_ftp_b out
23-6
Cisco 7600 Series Router Cisco IOS Software Configuration Guide—12.1E
78-14064-04
Chapter 23 Configuring Network Security
Router(config-if)# exit Router(config)# interface vlan 200 Router(config-if)# ip access-group deny_ftp_c in Router(config-if)# ip access-group deny_ftp_d out Router(config-if)# exit Router(config)# interface vlan 300 Router(config-if)# ip access-group deny_ftp_e in Router(config-if)# ip access-group deny_ftp_f out Router(config-if)# end
If the FTP session enters on VLAN 100 and needs to leave on VLAN 200, CBAC permits the FTP traffic through ACLs deny_ftp_a, deny_ftp_b, deny_ftp_c, and deny_ftp_d. If another FTP session enters on VLAN 100 and needs to leave on VLAN 300, CBAC permits the FTP traffic through ACLs deny_ftp_a, deny_ftp_b, deny_ftp_e, and deny_ftp_f.
On a Cisco 7600 series router, when ports are configured to deny traffic, CBAC permits traffic to flow bidirectionally only through the port configured with the ip inspect command. You must configure other ports with the mls ip inspect command.
If the FTP session enters on VLAN 100 and needs to leave on VLAN 200, CBAC on a Cisco 7600 series router permits the FTP traffic only through ACLs deny_ftp_a and deny_ftp_b. To permit the traffic through ACLs deny_ftp_c and deny_ftp_d, you must enter the mls ip inspect deny_ftp_c and mls ip inspect deny_ftp_d commands, as shown in this example:
Router(config)# mls ip inspect deny_ftp_c Router(config)# mls ip inspect deny_ftp_d

Configuring MAC Address-Based Traffic Blocking

With the example configuration, FTP traffic cannot leave on VLAN 300 unless you enter the mls ip inspect deny_ftp_e and mls ip inspect deny_ftp_f commands. Enter the show fm insp [detail]
command to verify the configuration.
The show fm insp [detail] command displays the list of ACLs and ports on which CBAC is configured and the status (ACTIVE or INACTIVE), as shown in this example:
Router# show fm insp interface:Vlan305(in) status :ACTIVE acl name:deny interfaces: Vlan305(out):status ACTIVE
On VLAN 305, inspection is active in the inbound direction and no ACL exists. ACL deny is applied on VLAN 305 in the outbound direction and inspection is active.
To display all of the flow information, use the detail keyword.
If a VACL is configured on the port before configuring CBAC, the status displayed is INACTIVE; otherwise, it is ACTIVE. If PFC resources are exhausted, the command displays the word “BRIDGE” followed by the number of currently active NetFlow requests that failed, which have been sent to the MSFC2 for processing.
Configuring MAC Address-Based Traffic Blocking
With 12.1(13)E and later releases, to block all traffic to or from a MAC address in a specified VLAN, perform this task:
78-14064-04
Cisco 7600 Series Router Cisco IOS Software Configuration Guide—12.1E
23-7

Configuring VLAN ACLs

Command Purpose
Router(config)# mac-address-table static mac_address vlan vlan_ID drop
Router(config)# no mac-address-table static mac_address vlan vlan_ID
Blocks all traffic to or from the configured MAC address in the specified VLAN.
Clears MAC address-based blocking.
This example shows how to block all traffic to or from MAC address 0050.3e8d.6400 in VLAN 12:
Router# configure terminal Router(config)# mac-address-table static 0050.3e8d.6400 vlan 12 drop
Configuring VLAN ACLs
Note Releases 12.1(11b)E or later supports VLAN ACLs (VACLs).
Chapter 23 Configuring Network Security
The following sections describe VACLs:
Understanding VACLs, page 23-8
Configuring VACLs, page 23-11
Configuring VACL Logging, page 23-17

Understanding VACLs

These sections describe VACLs:
VACL Overview, page 23-8
Bridged Packets, page 23-9
Routed Packets, page 23-10
Multicast Packets, page 23-11

VACL Overview

VACLs can provide access control for all packets that are bridged within a VLAN or that are routed into or out of a VLAN or, with releases 12.1(13)E or later, a WAN interface for VACL capture. Unlike regular Cisco IOS standard or extended ACLs that are configured on router interfaces only and are applied on routed packets only, VACLs apply to all packets and can be applied to any VLAN or WAN interface. VACLS are processed in hardware. VACLs use Cisco IOS ACLs. VACLs ignore any Cisco IOS ACL fields that are not supported in hardware.
23-8
You can configure VACLs for IP, IPX, and MAC-Layer traffic. VACLs applied to WAN interfaces support only IP traffic for VACL capture.
When you configure a VACL and apply it to a VLAN, all packets entering the VLAN are checked against this VACL. If you apply a VACL to the VLAN and an ACL to a routed interface in the VLAN, a packet coming in to the VLAN is first checked against the VACL and, if permitted, is then checked against the input ACL before it is handled by the routed interface. When the packet is routed to another VLAN, it
Cisco 7600 Series Router Cisco IOS Software Configuration Guide—12.1E
78-14064-04
Loading...
+ 16 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use