Piotr, Excellent and got it.
Thanks Regards Anantha Subramanian Natarajan On Wed, Jan 26, 2011 at 2:46 AM, Piotr Matusiak <[email protected]> wrote: > Anantha, > > That's true for max-incomplete and one-minute CBAC commands. Those commands > work for TCP, UDP and even for ICMP. However, the "tcp max-incomplete" works > only for TCP. Why? This is because the host-specific defense is mainly to > protect the router from handling attacks coming from a higher speed link. > It stops new connections to the host (server) when the half-open connection > limit has reached. Note that it works differently than "max-incomplete" > since new connections to the server are not possible for a time specified by > this command after limit has crossed. > The reason for that is closely connected with how router works. In normal > operations the connections uses Fast Path (CEF switching) so that there is > no performance impact on the router's CPU. However, in case of router FW, > every connection must be handled by CPU to enable stateful firewall > behavior. > In case of DoS attack from the higher speed interface, the number of > connections can be so huge that the performance impact can be significant. > That's why developers decided to introduce time limit in that command. > This was mainly developed for that reasons, and that's why only TCP is > supported. > > > Regards, > Piotr > > > 2011/1/25 Anantha Subramanian Natarajan <[email protected]> > >> Hi Piotr, >> >> Thanks for your clarification.Seems Cisco IOS firewall consider UDP >> half-open sessions as any UDP communication which is unidirectional.Is that >> not right ..I was reading on the command reference on what cisco IOS >> firewall treats it as UDP half open session. >> >> Kindly correct me. >> >> Thanks >> >> Regards >> Anantha Subramanian Natarajan >> >> >> On Tue, Jan 25, 2011 at 11:48 AM, Piotr Matusiak <[email protected]> wrote: >> >>> Anantha, >>> >>> UDP is connectionless so not half-open connections exist. >>> >>> Regards, >>> Piotr >>> >>> 2011/1/25 Anantha Subramanian Natarajan <[email protected]> >>> >>>> Hi All, >>>> >>>> I was going through the Cisco IOS Firewall Feature(CBAC) and >>>> understood that,there is a global command "ip inspect tcp max-incomplete >>>> host value" to delete half-open sessions,whenever the number of half-open >>>> sessions to the specified destination host address rises above a >>>> threshold.Am trying to understand a similar command exist for UDP,if not >>>> ,any specific technical reason ,why this command wouldn't be possible for >>>> UDP. >>>> >>>> Thanks for the great help >>>> >>>> Regards >>>> Anantha Subramanian Natarajan >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
