I think most now use CBAC in lieu of TCP Intercept. However, I guess it is certainly fair game for the lab. If you look at the example on the DocCD, it uses tcp, but does not filter to a port. Also, if you go to the URL below (which is describing "Richard Deal's Router Security Cisco Press book). You can find the following tip:
DocCD example: http://www.cisco.com/en/US/partner/docs/ios/sec_data_plane/configuration/guide/sec_cfg_tcp_intercpt.html#wp1001107 ip tcp intercept list 101 access-list 101 permit tcp any 192.168.1.0 0.0.0.255 Deal's Book http://www.ciscopress.com/articles/article.asp?p=345618&seqNum=3 *TIP* When you are setting up TCP Intercept, use it to deal with TCP SYN flood attacks from external users. This is accomplished by configuring an extended ACL for TCP Intercept that refines the traffic that should be monitored. For example, if you have only two servers in your DMZ that use TCP, such as an e-mail server and a web server, set up TCP Intercept to monitor only port 25 traffic to the e-mail server and port 80 traffic to the web server. This greatly reduces the number of TCP connections that the router has to monitor. Because you typically do not know the IP address of the source device, leave it as any. On Sun, Aug 23, 2009 at 3:05 PM, Simon Baumann <[email protected]>wrote: > Thanks, Paul. The PG solution states ip, which gave me an unsure feeling. > > Am 23.08.2009 um 20:03 schrieb Paul Stewart: > > You should be able to match on the protocol TCP instead of the protocol >> IP. That alone should not modify the behavior, since it is only applicable >> to TCP. However, you can define the ACL to also define a port. That way, >> you can get more granular and only look at certain traffic with the >> intercept process. This can help the resource utilization on the router. >> >> Message: 5 >> Date: Sun, 23 Aug 2009 17:01:37 +0200 >> From: Simon Baumann <[email protected]> >> Subject: [OSL | CCIE_Security] TCP Intercept related question. >> To: [email protected] >> Message-ID: <[email protected]> >> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes >> >> Hi, >> when I define an access-list for TCP intercept: could I match on the >> procotcol tcp instead of ip? >> Does it have any influence on this feature? >> TIA. >> >> Regards >> Simon >> >> >> End of CCIE_Security Digest, Vol 38, Issue 36 >> ********************************************* >> > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
