Yeah there is definitely a lot more ways to be granular. PG are only one solution. You can achieve the same task sometimes in several ways.
Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.IPexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: [email protected] [mailto:[email protected]] On Behalf Of Paul Stewart Sent: Sunday, August 23, 2009 4:17 PM To: Simon Baumann Cc: [email protected] Subject: Re: [OSL | CCIE_Security] TCP Intercept related question I think most now use CBAC in lieu of TCP Intercept. However, I guess it is certainly fair game for the lab. If you look at the example on the DocCD, it uses tcp, but does not filter to a port. Also, if you go to the URL below (which is describing "Richard Deal's Router Security Cisco Press book). You can find the following tip: DocCD example: http://www.cisco.com/en/US/partner/docs/ios/sec_data_plane/configuration/gui de/sec_cfg_tcp_intercpt.html#wp1001107 ip tcp intercept list 101 access-list 101 permit tcp any 192.168.1.0 0.0.0.255 Deal's Book http://www.ciscopress.com/articles/article.asp?p=345618 <http://www.ciscopress.com/articles/article.asp?p=345618&seqNum=3> &seqNum=3 TIP When you are setting up TCP Intercept, use it to deal with TCP SYN flood attacks from external users. This is accomplished by configuring an extended ACL for TCP Intercept that refines the traffic that should be monitored. For example, if you have only two servers in your DMZ that use TCP, such as an e-mail server and a web server, set up TCP Intercept to monitor only port 25 traffic to the e-mail server and port 80 traffic to the web server. This greatly reduces the number of TCP connections that the router has to monitor. Because you typically do not know the IP address of the source device, leave it as any. On Sun, Aug 23, 2009 at 3:05 PM, Simon Baumann <[email protected]> wrote: Thanks, Paul. The PG solution states ip, which gave me an unsure feeling. Am 23.08.2009 um 20:03 schrieb Paul Stewart: You should be able to match on the protocol TCP instead of the protocol IP. That alone should not modify the behavior, since it is only applicable to TCP. However, you can define the ACL to also define a port. That way, you can get more granular and only look at certain traffic with the intercept process. This can help the resource utilization on the router. Message: 5 Date: Sun, 23 Aug 2009 17:01:37 +0200 From: Simon Baumann <[email protected]> Subject: [OSL | CCIE_Security] TCP Intercept related question. To: [email protected] Message-ID: <[email protected]> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Hi, when I define an access-list for TCP intercept: could I match on the procotcol tcp instead of ip? Does it have any influence on this feature? TIA. Regards Simon End of CCIE_Security Digest, Vol 38, Issue 36 *********************************************
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
