Cisco Systems 7600 SERIES user manual

User manual for the device Cisco Systems 7600 SERIES

Device: Cisco Systems 7600 SERIES
Category: Network Router
Manufacturer: Cisco Systems
Size: 0.38 MB
Added : 6/7/2013
Number of pages: 24
Print the manual

Download

How to use this site?

Our goal is to provide you with a quick access to the content of the user manual for Cisco Systems 7600 SERIES. Using the online preview, you can quickly view the contents and go to the page where you will find the solution to your problem with Cisco Systems 7600 SERIES.

For your convenience

If looking through the Cisco Systems 7600 SERIES user manual directly on this website is not convenient for you, there are two possible solutions:

  • Full Screen Viewing - to easily view the user manual (without downloading it to your computer), you can use full-screen viewing mode. To start viewing the user manual Cisco Systems 7600 SERIES on full screen, use the button Fullscreen.
  • Downloading to your computer - You can also download the user manual Cisco Systems 7600 SERIES to your computer and keep it in your files. However, if you do not want to take up too much of your disk space, you can always download it in the future from ManualsBase.
Cisco Systems 7600 SERIES User manual - Online PDF
Advertisement
« Page 1 of 24 »
Advertisement
Print version

Many people prefer to read the documents not on the screen, but in the printed version. The option to print the manual has also been provided, and you can use it by clicking the link above - Print the manual. You do not have to print the entire manual Cisco Systems 7600 SERIES but the selected pages only. paper.

Summaries

Below you will find previews of the content of the user manuals presented on the following pages to Cisco Systems 7600 SERIES. If you want to quickly view the content of pages found on the following pages of the manual, you can use them.

Abstracts of contents
Summary of the content on the page No. 1

CHAPTER23
Configuring Network Security
This chapter contains network security information unique to the Cisco 7600 series routers, which
supplements the network security information and procedures in these publications:
� Cisco IOS Security Configuration Guide, Release 12.1, at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/index.htm
� Cisco IOS Security Command Reference, Release 12.1, at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/softw

Summary of the content on the page No. 2

Chapter 23 Configuring Network Security Hardware and Software ACL Support With the ip unreachables command enabled (which is the default), a Supervisor Engine 2 drops most of the denied packets in hardware and sends only a small number of packets to the MSFC2 to be dropped (10 packets per second, maximum) , which generates ICMP-unreachable messages. With the ip unreachables command enabled, a Supervisor Engine 1 sends all the denied packets to the MSFC to be dropped, which generates ICMP

Summary of the content on the page No. 3

Chapter 23 Configuring Network Security Guidelines and Restrictions for Using Layer 4 Operators in ACLs � Flows that require logging are processed in software without impacting nonlogged flow processing in hardware. � The forwarding rate for software-processed flows is substantially less than for hardware-processed flows. � When you enter the show ip access-list command, the match count displayed does not include packets processed in hardware. Guidelines and Restrictions for Using Laye

Summary of the content on the page No. 4

Chapter 23 Configuring Network Security Configuring the Cisco IOS Firewall Feature Set Determining Logical Operation Unit Usage Logical operation units (LOUs) are registers that store operator-operand couples. All ACLs use LOUs. There can be up to 32 LOUs; each LOU can store two different operator-operand couples with the exception of the range operator. LOU usage per Layer 4 operation is as follows: � gt uses 1/2 LOU � lt uses 1/2 LOU � neq uses 1/2 LOU � range uses 1 LOU � eq does not r

Summary of the content on the page No. 5

Chapter 23 Configuring Network Security Configuring the Cisco IOS Firewall Feature Set � Firewall Configuration Guidelines and Restrictions, page 23-6 � Configuring CBAC on Cisco 7600 Series Routers, page 23-6 Cisco IOS Firewall Feature Set Support Overview The firewall feature set images support these Cisco IOS firewall features: � Context-based Access Control (CBAC) � Port-to-Application Mapping (PAM) � Authentication Proxy These are the firewall feature set image names: � c6sup22-jo3sv-

Summary of the content on the page No. 6

Chapter 23 Configuring Network Security Configuring the Cisco IOS Firewall Feature Set Note Cisco 7600 series routers support the Intrusion Detection System Module (IDSM) (WS-X6381-IDS). Cisco 7600 series routers do not support the Cisco IOS firewall IDS feature, which is configured with the ip audit command. Firewall Configuration Guidelines and Restrictions Follow these guidelines and restrictions when configuring the Cisco IOS firewall features: Restrictions � On other platforms, if y

Summary of the content on the page No. 7

Chapter 23 Configuring Network Security Configuring MAC Address-Based Traffic Blocking Router(config-if)# exit Router(config)# interface vlan 200 Router(config-if)# ip access-group deny_ftp_c in Router(config-if)# ip access-group deny_ftp_d out Router(config-if)# exit Router(config)# interface vlan 300 Router(config-if)# ip access-group deny_ftp_e in Router(config-if)# ip access-group deny_ftp_f out Router(config-if)# end If the FTP session enters on VLAN 100 and needs to leave on

Summary of the content on the page No. 8

Chapter 23 Configuring Network Security Configuring VLAN ACLs Command Purpose Router(config)# mac-address-table static mac_address Blocks all traffic to or from the configured MAC address in vlan vlan_ID drop the specified VLAN. Router(config)# no mac-address-table static Clears MAC address-based blocking. mac_address vlan vlan_ID This example shows how to block all traffic to or from MAC address 0050.3e8d.6400 in VLAN 12: Router# configure terminal Router(config)# mac-address-table s

Summary of the content on the page No. 9

Chapter 23 Configuring Network Security Configuring VLAN ACLs is first checked against the output ACL applied to the routed interface and, if permitted, the VACL configured for the destination VLAN is applied. If a VACL is configured for a packet type and a packet of that type does not match the VACL, the default action is deny. Note � VACLs and CBAC cannot be configured on the same interface. � TCP Intercepts and Reflexive ACLs take precedence over a VACL action if these are configured o

Summary of the content on the page No. 10

Chapter 23 Configuring Network Security Configuring VLAN ACLs Routed Packets Figure 23-2 shows how ACLs are applied on routed and Layer 3-switched packets. For routed or Layer 3-switched packets, the ACLs are applied in the following order: 1. VACL for input VLAN 2. Input Cisco IOS ACL 3. Output Cisco IOS ACL 4. VACL for output VLAN Figure 23-2 Applying VACLs on Routed Packets Routed Output IOS ACL Input IOS ACL MSFC VACL Bridged Bridged VACL Catalyst 6500 series switches with MSFC Host B

Summary of the content on the page No. 11

Chapter 23 Configuring Network Security Configuring VLAN ACLs Multicast Packets Figure 23-3 shows how ACLs are applied on packets that need multicast expansion. For packets that need multicast expansion, the ACLs are applied in the following order: 1. Packets that need multicast expansion: a. VACL for input VLAN b. Input Cisco IOS ACL 2. Packets after multicast expansion: a. Output Cisco IOS ACL b. VACL for output VLAN (not supported with PFC2) 3. Packets originating from router—VACL for o

Summary of the content on the page No. 12

Chapter 23 Configuring Network Security Configuring VLAN ACLs � VLAN Access Map Configuration and Verification Examples, page 23-15 � Configuring a Capture Port, page 23-16 VACL Configuration Overview VACLs use standard and extended Cisco IOS IP and IPX ACLs, and MAC-Layer named ACLs (see the “Configuring MAC-Layer Named Access Lists (Optional)” section on page 32-39) and VLAN access maps. VLAN access maps can be applied to VLANs or, with releases 12.1(13)E or later, to WAN interfaces for

Summary of the content on the page No. 13

Chapter 23 Configuring Network Security Configuring VLAN ACLs When defining a VLAN access map, note the following syntax information: � To insert or modify an entry, specify the map sequence number. � If you do not specify the map sequence number, a number is automatically assigned. � You can specify only one match clause and one action clause per map sequence. � Use the no keyword with a sequence number to remove a map sequence. � Use the no keyword without a sequence number to remove t

Summary of the content on the page No. 14

Chapter 23 Configuring Network Security Configuring VLAN ACLs Configuring an Action Clause in a VLAN Access Map Sequence To configure an action clause in a VLAN access map sequence, perform this task: Command Purpose Router(config-access-map)# action {drop [log]} | Configures the action clause in a VLAN access map {forward [capture]} | {redirect {{ethernet | sequence. fastethernet | gigabitethernet | tengigabitethernet} slot/port} | {port-channel channel_id}} Router(config-access-map)#

Summary of the content on the page No. 15

Chapter 23 Configuring Network Security Configuring VLAN ACLs Command Purpose Router(config)# no vlan filter map_name [vlan-list Removes the VLAN access map from the specified VLANs or 1 2 vlan_list | interface type number ] WAN interfaces. 1. type = pos, atm, or serial 2. number = slot/port or slot/port_adapter/port; can include a subinterface or channel group descriptor When applying a VLAN access map, note the following syntax information: � You can apply the VLAN access map to one o

Summary of the content on the page No. 16

Chapter 23 Configuring Network Security Configuring VLAN ACLs This example shows how to define and apply a VLAN access map to forward IP packets. In this example, IP traffic matching net_10 is forwarded and all other IP packets are dropped due to the default drop action. The map is applied to VLAN 12 to 16. Router(config)# vlan access-map thor 10 Router(config-access-map)# match ip address net_10 Router(config-access-map)# action forward Router(config-access-map)# exit Router(config)# v

Summary of the content on the page No. 17

Chapter 23 Configuring Network Security Configuring VLAN ACLs When configuring a capture port, note the following syntax information: � With Release 12.1(13)E and later releases, you can configure any port as a capture port. With earlier releases, only the Gigabit Ethernet monitor port on the IDS module can be configured as a capture port. � When configuring a capture port with Release 12.1(13)E and later releases, note the following syntax information: – The vlan_list parameter can be

Summary of the content on the page No. 18

Chapter 23 Configuring Network Security Configuring TCP Intercept These restrictions apply to VACL logging: � Supported only with Supervisor Engine 2. � Because of the rate-limiting function for redirected packets, VACL logging counters may not be accurate. � Only denied IP packets are logged. To configure VACL logging, use the action drop log command action in VLAN access map submode (see the “Configuring VACLs” section on page 23-11 for configuration information) and perform this task

Summary of the content on the page No. 19

Chapter 23 Configuring Network Security Configuring Unicast Reverse Path Forwarding Configuring Unicast Reverse Path Forwarding These sections describe configuring Cisco IOS Unicast Reverse Path Forwarding (Unicast RPF): � Understanding Unicast RPF Support, page 23-19 � Configuring Unicast RPF, page 23-19 � Enabling Self-Pinging, page 23-19 � Configuring the Unicast RPF Checking Mode, page 23-20 Understanding Unicast RPF Support The PFC2 supports Unicast RPF with hardware processing for pac

Summary of the content on the page No. 20

Chapter 23 Configuring Network Security Configuring Unicast Reverse Path Forwarding This example shows how to enable self-pinging: Router(config)# interface gigabitethernet 4/1 Router(config-if)# ip verify unicast source reachable-via any allow-self-ping Router(config-if)# end Configuring the Unicast RPF Checking Mode There are two Unicast RPF checking modes: � Strict checking mode, which verifies that the source IP address exists in the FIB table and verifies that the source IP address


Alternative user manuals
# User manual Category Download
1 Cisco Systems 10/100 16-Port VPN Router RV016 User manual Network Router 32
2 Cisco Systems 1005 User manual Network Router 10
3 Cisco Systems 10005 User manual Network Router 1
4 Cisco Systems 12000 GSR User manual Network Router 3
5 Cisco Systems 10700 User manual Network Router 6
6 Cisco Systems 10000 User manual Network Router 0
7 Cisco Systems 10008 User manual Network Router 0
8 Cisco Systems 12012 User manual Network Router 0
9 Cisco Systems 12000 Series User manual Network Router 8
10 Cisco Systems 12404 User manual Network Router 1
11 Cisco Systems 10720 User manual Network Router 0
12 Cisco Systems 12406 series User manual Network Router 0
13 Cisco Systems 12006 series User manual Network Router 0
14 Cisco Systems 12406 User manual Network Router 0
15 Cisco Systems 1300 User manual Network Router 44
16 Sony BKS-R3202/R3210/R3220 User manual Network Router 77
17 Sony DVS-V3232B/V3232M User manual Network Router 3
18 Sony BVS-V3232 User manual Network Router 8
19 Sony DMX-WL1 User manual Network Router 6
20 Sony BVS-A3232 User manual Network Router 6