↪️
ccie.nyquist.eu
  • Table of Contents
  • Layer 2 Technologies
    • Ethernet Switching
      • L2 Switch Operations
      • Spanning Tree
        • 802.1d – STP
        • 802.1w – RSTP
        • 802.1s – MSTP
      • VTP 101
      • Private VLANs
      • VLANs
      • EtherChannel 101
    • Layer 2 WAN Protocols
      • HDLC
        • HDLC 101
      • PPP
        • PPP 101
        • PPP Authentication - PAP
        • PPP Authentication – CHAP
        • PPP Authentication – EAP
        • PPP Multilink
        • PPPoFR – PPP over Frame Relay
        • PPPoE – PPP over Ethernet
      • Frame Relay
        • Frame Relay 101
        • Frame Relay 102
        • Frame Relay Encapsulations – IETF vs Cisco
        • Multilink Frame Relay
        • Frame Relay Switching
        • Routing over Frame Relay
      • Bridging
        • Bridging on a router
        • MTU 101
    • Wireless
      • Wireless Principles
      • Wireless Implementations
      • Wireless Roaming
      • Wireless Authentication
        • WPA2 PSK
        • WPA2 802.1X
  • IPv4
    • IPv4 Addressing
      • Backup Interfaces
      • FHRP 101
      • DHCP 101
      • DNS 101
      • ARP 101
      • IPv4 101
      • Tunnel Interfaces
        • GRE Tunnels
      • BFD – Bidirectional Forwarding Detection
    • IPv4 Routing
      • How the routing table is built
        • How CEF works
        • Routing Order of Operations
        • NSF – Non Stop Forwarding
      • RIP
        • RIP 101
      • EIGRP
        • EIGRP 101
        • EIGRP Metric
        • More EIGRP Features
      • OSPF
        • OSPF 101
        • OSPF Areas
        • OSPF LSAs
        • OSPF Mechanics
      • IS-IS
        • IS-IS 101
        • IS-IS Mechanics – CLNP
      • BGP
        • BGP 101
        • BGP Attributes
        • More BGP
      • Route Redistribution
      • Policy based Routing
      • PfR 101 – Perfromance Routing
      • ODR
  • IPv6
    • IPv6-101
    • IPv6 Routing
    • Interconnecting IPv6 and IPv4
  • MPLS
    • MPLS 101
    • MPLS L3 VPN
  • Multicast
    • Multicast 101
    • PIM 101
    • IGMP 101
    • Inter Domain Multicast
    • IPv6 Multicast
    • Multicast features on switches
  • Security
    • NAT 101
    • NAT for Overlapping Networks
    • ACLs 101
    • ACLs 102
    • Cisco IOS Firewall
    • Zone Based Firewall
    • AAA 101
    • Controlling CLI Access
    • Control Plane
    • Switch Security
      • Switchport Traffic Control
      • Switchport Port Security
      • DHCP Snooping and DAI
      • 802.1x
      • Switch ACLs
    • IPSec VPN 101
      • IKE / ISAKMP 101
      • IPSEC Crypto Maps 101
      • IPSEC VTI 101
      • DMVPN 101
    • EAP 101
  • Network Services
    • NTP 101
    • HTTP 101
    • File Transfer 101 – TFTP & FTP
    • WCCP 101
  • QoS
    • QoS 101
    • Classification and Marking
    • Congestion Management
      • Legacy Congestion Management
      • SPD – Selective Packet Discard
      • CBWFQ
      • IP RTP Priority
    • Congestion Avoidance – WRED
    • Policing and Shaping
      • CAR 101
    • Compression and LFI
      • Header and Payload Compression
      • LFI for MultiLink PPP
    • Frame Relay QoS
      • Per VC Frame Relay QoS
    • RSVP 101
    • Switching QoS
  • Network Optimization
    • NetFlow 101 – TNF – Traditional NetFlow
    • NetFlow 102 – FNF – Flexible NetFlow
    • IP SLA 101
    • IP Accounting 101
    • Logging 101
    • SNMP and RMON 101
    • Cisco CLI Tips and Tricks
    • AutoInstall
    • Enhanced Object Tracking
    • Troubleshooting 101
    • SPAN, RSPAN, ERSPAN
  • Network Architecture
    • Hierarchical Network Architecture
    • SD Access
    • SD WAN
Powered by GitBook
On this page
  • CBAC – Context Based Access Control
  • TCP Intercept
  • Unicast RPF (Reverse Path Forwarding)

Was this helpful?

  1. Security

Cisco IOS Firewall

PreviousACLs 102NextZone Based Firewall

Last updated 3 years ago

Was this helpful?

CBAC – Context Based Access Control

CBAC allows examination of traffic at the Application Layer, not just Layer 3 or Layer 4 as in ACLs. It can maintain session information and create temporary openings to allow return traffic for permissible sessions. CBAC maintains a state table both for TCP and UDP (aproximated state – since the service is connectionless). Packets in the return traffic must match the information in the state table to be allowed. CBAC is set on an interface in one direction (incoming or outgoing) and will only inspect those packets that passed the ACL in that direction. (see ). when traffic originates in the direction that the inspection rule is applied, it will generate shortcuts that will bypass any ACLs in the opposite direction, regardless of the interface. This means an inspect on the incoming traffic of the inside interface will allow returning packets on the outside (even if there is an ACL that denies them). Also, if the inspection is configured on the outside interface, in the outgoing direction, it will still allow return traffic.

To define the CBAC inspection rule, use:

R(config)# ip inspect name INSPECTION-NAME PROTOCOL [alert {on|off} [audit-trail {on|off}] [timeout SEC]
! alert: generates syslog messages
! audit-trail: generates more verbose messages

Apply the inspection rule on an interface:

R(config-if)# ip inspect INSPECTION-NAME

TCP Intercept

TCP intercept is used to prevent servers from TCP SYN-flood attacks. When this type of attacks occur, an attacker sends multiple TCP SYN packets to a server, which should try to respond with a SYN-ACK and then keep this state information until the sender responds with an ACK and the three-way-handshake is completed. When the number of SYN packets received is high enough, the server may start dropping legitimate connections. The router can be configured to prevent this using the TCP Intercept feature. There are two modes of operation: active and passive. In the default active mode (intercept), the router will intercept the TCP SYN packets, and respond with a SYN-ACK on behalf of the server. Only when it receives an ACK back, it will create a three-way-handshake with the server and connect the 2 sessions with each other, thus stopping excess SYNs from reaching the server. In the passive mode(watch), the router forwards the SYN to the server but waits a limited amount of time (default:30 sec) for the three-way-handshake to complete, before it sends a RESET to the server to clear the connection.

! Traffic passing the following ACL will be intercepted.
! Usually matches the destination server
! Could be used not to intercept some known sources
R(config)# ip tcp intercept list ACL
! Define intercept mode: active (intercept) or passive (watch)
R(config)# ip tcp intercept mode {intercept | watch}
! Define timers
R(config)# ip tcp intercept {watch-timeout| finrst-timeout | connection-timeout} SEC

The TCP Intercept also has an aggressive mode in which any new connection will generate the drop of an old connection. This aggressive mode is automatically enabled based on a couple of thresholds regarding total number of incomplete connections or number of connections in the last minute.

R(config)# ip tcp intercept max-incomplete low LOW-VAL high HIGH-VAL
R(config)# ip tcp intercept one-minute low LOW-VAL high HIGH-VAL
R(config)# ip tcp interce drop-mode {oldest | random} 

Unicast RPF (Reverse Path Forwarding)

! CEF must be enabled
R(config)# ip cef
R(config)# interface INTERFACE
R(config-if)# ip verify unicast reverse-path [list ACL]
! spoofed packets that are permited by ACL are permited but can be logged
! spoofed packets that are denied by the ACL are dropped but can be logged

For multihomed environments, a loose version of uRPF can be enabled, where the packet does not need to enter a specific interface. A route to the source must exist in the routing table, otherwise the packet will be dropped. To enable the loose-mode uRPF, use:

R(config-if)# ip verify unicast source reachable-via any

Unicast RPF uses the same mechanism as the to verify that a packet arrived on the interface with the best route pointing to the source. If it did, then the packet is processed, if it didn’t, then it is dropped.

Order of operations
Multicast RPF used by PIM