Summary of the content on the page No. 1
CHAPTER23
Configuring Network Security
This chapter contains network security information unique to the Cisco 7600 series routers, which
supplements the network security information and procedures in these publications:
� Cisco IOS Security Configuration Guide, Release 12.1, at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/index.htm
� Cisco IOS Security Command Reference, Release 12.1, at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/softw
Summary of the content on the page No. 2
Chapter 23 Configuring Network Security Hardware and Software ACL Support With the ip unreachables command enabled (which is the default), a Supervisor Engine 2 drops most of the denied packets in hardware and sends only a small number of packets to the MSFC2 to be dropped (10 packets per second, maximum) , which generates ICMP-unreachable messages. With the ip unreachables command enabled, a Supervisor Engine 1 sends all the denied packets to the MSFC to be dropped, which generates ICMP
Summary of the content on the page No. 3
Chapter 23 Configuring Network Security Guidelines and Restrictions for Using Layer 4 Operators in ACLs � Flows that require logging are processed in software without impacting nonlogged flow processing in hardware. � The forwarding rate for software-processed flows is substantially less than for hardware-processed flows. � When you enter the show ip access-list command, the match count displayed does not include packets processed in hardware. Guidelines and Restrictions for Using Laye
Summary of the content on the page No. 4
Chapter 23 Configuring Network Security Configuring the Cisco IOS Firewall Feature Set Determining Logical Operation Unit Usage Logical operation units (LOUs) are registers that store operator-operand couples. All ACLs use LOUs. There can be up to 32 LOUs; each LOU can store two different operator-operand couples with the exception of the range operator. LOU usage per Layer 4 operation is as follows: � gt uses 1/2 LOU � lt uses 1/2 LOU � neq uses 1/2 LOU � range uses 1 LOU � eq does not r
Summary of the content on the page No. 5
Chapter 23 Configuring Network Security Configuring the Cisco IOS Firewall Feature Set � Firewall Configuration Guidelines and Restrictions, page 23-6 � Configuring CBAC on Cisco 7600 Series Routers, page 23-6 Cisco IOS Firewall Feature Set Support Overview The firewall feature set images support these Cisco IOS firewall features: � Context-based Access Control (CBAC) � Port-to-Application Mapping (PAM) � Authentication Proxy These are the firewall feature set image names: � c6sup22-jo3sv-
Summary of the content on the page No. 6
Chapter 23 Configuring Network Security Configuring the Cisco IOS Firewall Feature Set Note Cisco 7600 series routers support the Intrusion Detection System Module (IDSM) (WS-X6381-IDS). Cisco 7600 series routers do not support the Cisco IOS firewall IDS feature, which is configured with the ip audit command. Firewall Configuration Guidelines and Restrictions Follow these guidelines and restrictions when configuring the Cisco IOS firewall features: Restrictions � On other platforms, if y
Summary of the content on the page No. 7
Chapter 23 Configuring Network Security Configuring MAC Address-Based Traffic Blocking Router(config-if)# exit Router(config)# interface vlan 200 Router(config-if)# ip access-group deny_ftp_c in Router(config-if)# ip access-group deny_ftp_d out Router(config-if)# exit Router(config)# interface vlan 300 Router(config-if)# ip access-group deny_ftp_e in Router(config-if)# ip access-group deny_ftp_f out Router(config-if)# end If the FTP session enters on VLAN 100 and needs to leave on
Summary of the content on the page No. 8
Chapter 23 Configuring Network Security Configuring VLAN ACLs Command Purpose Router(config)# mac-address-table static mac_address Blocks all traffic to or from the configured MAC address in vlan vlan_ID drop the specified VLAN. Router(config)# no mac-address-table static Clears MAC address-based blocking. mac_address vlan vlan_ID This example shows how to block all traffic to or from MAC address 0050.3e8d.6400 in VLAN 12: Router# configure terminal Router(config)# mac-address-table s
Summary of the content on the page No. 9
Chapter 23 Configuring Network Security Configuring VLAN ACLs is first checked against the output ACL applied to the routed interface and, if permitted, the VACL configured for the destination VLAN is applied. If a VACL is configured for a packet type and a packet of that type does not match the VACL, the default action is deny. Note � VACLs and CBAC cannot be configured on the same interface. � TCP Intercepts and Reflexive ACLs take precedence over a VACL action if these are configured o
Summary of the content on the page No. 10
Chapter 23 Configuring Network Security Configuring VLAN ACLs Routed Packets Figure 23-2 shows how ACLs are applied on routed and Layer 3-switched packets. For routed or Layer 3-switched packets, the ACLs are applied in the following order: 1. VACL for input VLAN 2. Input Cisco IOS ACL 3. Output Cisco IOS ACL 4. VACL for output VLAN Figure 23-2 Applying VACLs on Routed Packets Routed Output IOS ACL Input IOS ACL MSFC VACL Bridged Bridged VACL Catalyst 6500 series switches with MSFC Host B
Summary of the content on the page No. 11
Chapter 23 Configuring Network Security Configuring VLAN ACLs Multicast Packets Figure 23-3 shows how ACLs are applied on packets that need multicast expansion. For packets that need multicast expansion, the ACLs are applied in the following order: 1. Packets that need multicast expansion: a. VACL for input VLAN b. Input Cisco IOS ACL 2. Packets after multicast expansion: a. Output Cisco IOS ACL b. VACL for output VLAN (not supported with PFC2) 3. Packets originating from router—VACL for o
Summary of the content on the page No. 12
Chapter 23 Configuring Network Security Configuring VLAN ACLs � VLAN Access Map Configuration and Verification Examples, page 23-15 � Configuring a Capture Port, page 23-16 VACL Configuration Overview VACLs use standard and extended Cisco IOS IP and IPX ACLs, and MAC-Layer named ACLs (see the “Configuring MAC-Layer Named Access Lists (Optional)” section on page 32-39) and VLAN access maps. VLAN access maps can be applied to VLANs or, with releases 12.1(13)E or later, to WAN interfaces for
Summary of the content on the page No. 13
Chapter 23 Configuring Network Security Configuring VLAN ACLs When defining a VLAN access map, note the following syntax information: � To insert or modify an entry, specify the map sequence number. � If you do not specify the map sequence number, a number is automatically assigned. � You can specify only one match clause and one action clause per map sequence. � Use the no keyword with a sequence number to remove a map sequence. � Use the no keyword without a sequence number to remove t
Summary of the content on the page No. 14
Chapter 23 Configuring Network Security Configuring VLAN ACLs Configuring an Action Clause in a VLAN Access Map Sequence To configure an action clause in a VLAN access map sequence, perform this task: Command Purpose Router(config-access-map)# action {drop [log]} | Configures the action clause in a VLAN access map {forward [capture]} | {redirect {{ethernet | sequence. fastethernet | gigabitethernet | tengigabitethernet} slot/port} | {port-channel channel_id}} Router(config-access-map)#
Summary of the content on the page No. 15
Chapter 23 Configuring Network Security Configuring VLAN ACLs Command Purpose Router(config)# no vlan filter map_name [vlan-list Removes the VLAN access map from the specified VLANs or 1 2 vlan_list | interface type number ] WAN interfaces. 1. type = pos, atm, or serial 2. number = slot/port or slot/port_adapter/port; can include a subinterface or channel group descriptor When applying a VLAN access map, note the following syntax information: � You can apply the VLAN access map to one o
Summary of the content on the page No. 16
Chapter 23 Configuring Network Security Configuring VLAN ACLs This example shows how to define and apply a VLAN access map to forward IP packets. In this example, IP traffic matching net_10 is forwarded and all other IP packets are dropped due to the default drop action. The map is applied to VLAN 12 to 16. Router(config)# vlan access-map thor 10 Router(config-access-map)# match ip address net_10 Router(config-access-map)# action forward Router(config-access-map)# exit Router(config)# v
Summary of the content on the page No. 17
Chapter 23 Configuring Network Security Configuring VLAN ACLs When configuring a capture port, note the following syntax information: � With Release 12.1(13)E and later releases, you can configure any port as a capture port. With earlier releases, only the Gigabit Ethernet monitor port on the IDS module can be configured as a capture port. � When configuring a capture port with Release 12.1(13)E and later releases, note the following syntax information: – The vlan_list parameter can be
Summary of the content on the page No. 18
Chapter 23 Configuring Network Security Configuring TCP Intercept These restrictions apply to VACL logging: � Supported only with Supervisor Engine 2. � Because of the rate-limiting function for redirected packets, VACL logging counters may not be accurate. � Only denied IP packets are logged. To configure VACL logging, use the action drop log command action in VLAN access map submode (see the “Configuring VACLs” section on page 23-11 for configuration information) and perform this task
Summary of the content on the page No. 19
Chapter 23 Configuring Network Security Configuring Unicast Reverse Path Forwarding Configuring Unicast Reverse Path Forwarding These sections describe configuring Cisco IOS Unicast Reverse Path Forwarding (Unicast RPF): � Understanding Unicast RPF Support, page 23-19 � Configuring Unicast RPF, page 23-19 � Enabling Self-Pinging, page 23-19 � Configuring the Unicast RPF Checking Mode, page 23-20 Understanding Unicast RPF Support The PFC2 supports Unicast RPF with hardware processing for pac
Summary of the content on the page No. 20
Chapter 23 Configuring Network Security Configuring Unicast Reverse Path Forwarding This example shows how to enable self-pinging: Router(config)# interface gigabitethernet 4/1 Router(config-if)# ip verify unicast source reachable-via any allow-self-ping Router(config-if)# end Configuring the Unicast RPF Checking Mode There are two Unicast RPF checking modes: � Strict checking mode, which verifies that the source IP address exists in the FIB table and verifies that the source IP address