Cisco Systems EA6500 Manual De Usuario
23-18
Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide—Release 12.1 E
78-14099-04
Chapter 23 Configuring Network Security
Configuring TCP Intercept
These restrictions apply to VACL logging:
•
Supported only with Supervisor Engine 2.
•
Because of the rate-limiting function for redirected packets, VACL logging counters may not be
accurate.
accurate.
•
Only denied IP packets are logged.
To configure VACL logging, use the action drop log command action in VLAN access map submode
(see the
(see the
for configuration information) and perform this
task in global configuration mode to specify the global VACL logging parameters:
This example shows how to configure global VACL logging in hardware:
Router(config)# vlan access-log maxflow 800
Router(config)# vlan access-log ratelimit 2200
Router(config)# vlan access-log threshold 4000
Configuring TCP Intercept
With Supervisor Engine 2 and PFC2, TCP intercept flows are processed in hardware.
With Supervisor Engine 1 and PFC, TCP intercept flows are processed in software.
For configuration procedures, refer to the Cisco IOS Security Configuration Guide, Release 12.1,
“Traffic Filtering and Firewalls,” “Configuring TCP Intercept,” at this URL:
“Traffic Filtering and Firewalls,” “Configuring TCP Intercept,” at this URL:
Command
Purpose
Step 1
Router(config)# vlan access-log maxflow
max_number
Sets the log table size. The content of the log table can be
deleted by setting the maxflow number to 0. The default
is 500 with a valid range of 0 to 2048. When the log table
is full, logged packets from new flows are dropped by the
software.
deleted by setting the maxflow number to 0. The default
is 500 with a valid range of 0 to 2048. When the log table
is full, logged packets from new flows are dropped by the
software.
Step 2
Router(config)# vlan access-log ratelimit pps
Sets the maximum redirect VACL logging packet rate.
The default packet rate is 2000 packets per second with a
valid range of 0 to 5000. Packets exceeding the limit are
dropped by the hardware.
The default packet rate is 2000 packets per second with a
valid range of 0 to 5000. Packets exceeding the limit are
dropped by the hardware.
Step 3
Router(config)# vlan access-log threshold
pkt_count
Sets the logging threshold. A logging message is generated
if the threshold for a flow is reached before the 5-minute
interval. By default, no threshold is set.
if the threshold for a flow is reached before the 5-minute
interval. By default, no threshold is set.
Step 4
Router(config)# exit
Exits VLAN access map configuration mode.
Step 5
Router# show vlan access-log config
(Optional) Displays the configured VACL logging
properties.
properties.
Step 6
Router# show vlan access-log flow protocol
{{src_addr src_mask} | any | {host {hostname |
host_ip}}} {{dst_addr dst_mask} | any | {host
{hostname | host_ip}}}
[vlan vlan_id]
(Optional) Displays the content of the VACL log table.
Step 7
Router# show vlan access-log statistics
(Optional) Displays packet and message counts and other
statistics.
statistics.