Your software release
may not support all the features documented in this module. For the latest
caveats and feature information, see
Bug Search Tool and the
release notes for your platform and software release. To find information about
the features documented in this module, and to see a list of the releases in
which each feature is supported, see the feature information table.
Use Cisco Feature
Navigator to find information about platform support and Cisco software image
support. To access Cisco Feature Navigator, go to
An account on Cisco.com is not required.
Restrictions for Configuring Firewall Resource Management
After you configure the global-level or VRF-level session limit and reconfigure the session limit, if the global-level or VRF-level session limit is below the initially configured session count, no new session is added; however, no current session is dropped.
Information About Configuring Firewall Resource Management
Resource Management limits the level of usage of shared resources on a device. Shared resources on a device include:
Memory usage (per table)
Number of sessions or calls
Packets per second
Ternary content addressable memory (TCAM) entries
The Firewall Resource Management feature extends the zone-based firewall resource management from the class level to the VRF level and the global level. Class-level resource management provides resource protection for firewall sessions at a class level. For example, parameters such as the maximum session limit, the session rate limit, and the incomplete session limit protect firewall resources (for example, chunk memory) and keep these resources from being used up by a single class.
When virtual routing and forwarding (VRF) instances share the same policy, a firewall session setup request from one VRF instance can make the total session count reach the maximum limit. When one VRF consumes the maximum amount of resources on a device, it becomes difficult for other VRF instances to share device resources. To limit the number of VRF firewall sessions, you can use the Firewall Resource Management feature.
At the global level, the Firewall Resource Management feature helps limit the usage of resources at the global routing domain by firewall sessions.
VRF-Aware Cisco IOS XE Firewall
The VRF-Aware Cisco IOS XE Firewall applies the Cisco IOS XE Firewall functionality to VPN Routing and Forwarding (VRF) interfaces when the firewall is configured on a service provider (SP) or large enterprise edge routers. SPs provide managed services to small and medium business markets.
The VRF-Aware Cisco IOS XE Firewall supports VRF-lite (also known as Multi-VRF CE) and Application Inspection and Control (AIC) for various protocols.
The VRF-aware firewall supports VRF-lite (also known as Multi-VRF CE) and Application Inspection and Control (AIC) for various protocols.
Cisco IOS XE Releases do not support Context-Based Access Control (CBAC) firewalls.
At the virtual routing and forwarding (VRF) level, the Firewall Resource Management feature tracks the firewall session count for each VRF instance. At the global level, the firewall resource management tracks the total firewall session count at the global routing domain and not at the device level. In both the VRF and global levels, session count is the sum of opened sessions, half-opened sessions, and sessions in the imprecise firewall session database. A TCP session that has not yet reached the established state is called a half-opened session.
A firewall has two session databases: the session database and the imprecise session database. The session database contains sessions with 5-tuple (source IP address, destination IP address, source port, destination port, and protocol). A tuple is an ordered list of elements. The imprecise session database contains sessions with fewer than 5-tuple (missing IP addresses, port numbers, and so on).
The following rules apply to the configuration of a session limit:
The class-level session limit can exceed the global limit.
The class-level session limit can exceed its associated VRF session maximum.
The sum of the VRF limit, including the global context, can be greater than the hardcoded session limit.
The session rate is the rate at which sessions are established at any given time interval. You can define maximum and minimum session rate limits. When the session rate exceeds the maximum specified rate, the firewall starts rejecting new session setup requests.
From the resource management perspective, setting the maximum and minimum session rate limit helps protect Cisco Packet Processor from being overwhelmed when numerous firewall session setup requests are received.
Incomplete or Half-Opened Sessions
Incomplete sessions are half-opened sessions. Any resource used by an incomplete session is counted, and any growth in the number of incomplete sessions is limited by setting the maximum session limit.
Firewall Resource Management Sessions
The following rules apply to firewall resource management sessions:
By default, the session limit for opened and half-opened sessions is unlimited.
Opened or half-opened sessions are limited by parameters and counted separately.
Opened or half-opened session count includes Internet Control Message Protocol (ICMP), TCP, or UDP sessions.
You can limit the number and rate of opened sessions.
You can only limit the number of half-opened sessions.
Exits parameter-map type inspect configuration mode and enters global configuration mode.
Device(config)# parameter-map type inspect-vrf vrf-default
Configures a default inspect VRF-type parameter map.
Device(config-profile)# session total 6000
Configures the total number of sessions.
You can configure the
sessiontotal command for an inspect VRF-type parameter map and for a global parameter map. When you configure the
sessiontotal command for an inspect VRF-type parameter map, the sessions are associated with an inspect VRF-type parameter map. The
sessiontotal command is applied to the global routing domain when it is configured for a global parameter-map.
Device(config-profile)# tcp syn-flood limit 7000
Limits the number of TCP half-opened sessions that trigger SYN cookie processing for new SYN packets.
Exits parameter-map type inspect configuration mode and enters privileged EXEC mode.
Configuration Examples for Firewall Resource Management
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.
Feature Information for Configuring Firewall Resource Management
The following table
provides release information about the feature or features described in this
module. This table lists only the software release that introduced support for
a given feature in a given software release train. Unless noted otherwise,
subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform
support and Cisco software image support. To access Cisco Feature Navigator, go
An account on Cisco.com is not required.
Table 1 Feature Information for Configuring Firewall Resource Management
Firewall Resource Management
Cisco IOS XE Release 3.3S
The Firewall Resource Management feature limits the number of VPN Routing and Forwarding (VRF) and global firewall sessions that are configured on a router.
The following commands were introduced or modified: