Configuring Firewall Resource Management
First Published: March 30, 2011
Last Updated: March 30, 2011
The Firewall Resource Management feature limits the number of VPN Routing and Forwarding (VRF) and global firewall sessions that are configured on a router.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Configuring Firewall Resource Management" section.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•Restrictions for Configuring Firewall Resource Management
•Information About Configuring Firewall Resource Management
•How to Configure Firewall Resource Management
•Configuration Examples for Firewall Resource Management
•Additional References
•Feature Information for Configuring Firewall Resource Management
Restrictions for Configuring Firewall Resource Management
•After you configure the global-level or VRF-level session limit and reconfigure the session limit, if the global-level or VRF-level session limit is below the initially configured session count, no new session is added; however, no current session is dropped.
Information About Configuring Firewall Resource Management
•Firewall Resource Management
•VRF-Aware Cisco IOS XE Firewall
•Firewall Sessions
Firewall Resource Management
Resource Management limits the level of usage of shared resources on a router. Shared resources on a router include:
•Bandwidth
•Connection states
•Memory usage (per table)
•Number of sessions or calls.
•Packets per second
•Ternary content addressable memory (TCAM) entries
The Firewall Resource Management feature extends the zone-based firewall resource management from the class level to the VRF level and the global level. Class-level resource management provides resource protection for firewall sessions at a class level. For example, the parameters such as, the maximum session limit, the session rate limit, and the incomplete session limit, protect the resources (example, chunk memory) and keep these resources from being used up by a single class.
When VRFs share the same policy, a firewall session setup request from one VRF can make the total session count reach the maximum limit. When one VRF consumes the maximum amount of resources on a router, it becomes difficult for other VRFs to share router resources. To limit the number of VRF firewall sessions you can use the Firewall Resource Management feature.
At a global level, the Firewall Resource Management feature helps limit the usage of resources at the global routing domain by firewall sessions.
VRF-Aware Cisco IOS XE Firewall
VRF Aware Cisco IOS XE Firewall applies Cisco IOS XE Firewall functionality to VRF interfaces when the firewall is configured on a service provider (SP) or large enterprise edge router. SPs can provide managed services to small and medium business markets. For more information, see the "VRF-Aware Cisco IOS XE Firewalls" feature module.
Firewall Sessions
•Session Definition
•Session Rate
•Incomplete or Half-Opened Sessions
•Firewall Resource Management Sessions
Session Definition
At a VRF level, the Firewall Resource Management feature tracks the firewall session count for each VRF. At a global level, the firewall resource management tracks the total firewall session count at the global routing domain and not at the router level. In both the VRF and global levels, session count is the sum of the sessions opened, half-opened, and the ones in the imprecise firewall session database. A TCP session that has not yet reached the established state is called a half-opened session.
A firewall has two session databases: the session database and the imprecise session database. The session database contains sessions with 5-tuple (source IP address, destination IP address, source port, destination port, and protocol). A tuple is an ordered list of elements. The imprecise session database contains sessions with fewer than 5-tuple (missing IP addresses, port numbers, and so on).
The following rules apply to the configuration of session limit:
•The class-level session limit can exceed the global limit.
•The class-level session limit can exceed its associated VRF session maximum.
•The sum of the VRF limit, including the global context, can be greater than the hardcoded session limit.
Session Rate
The session rate is the rate at which sessions are established at any given time interval. You can define maximum and minimum session rate limits. When the session rate exceeds the maximum specified rate, the firewall starts rejecting new session setup requests.
From the resource management perspective, setting the maximum and minimum session rate limit helps protect Cisco Packet Processor (CPP) from being overwhelmed when numerous firewall session setup requests are received.
Incomplete or Half-Opened Sessions
Incomplete session are half-opened sessions. Any resource used by an incomplete session is counted, and any growth in the number of incomplete sessions is limited by setting the maximum session limit.
Firewall Resource Management Sessions
The following rules apply to the firewall resource management sessions:
•By default, the session limit for opened and half-opened sessions is unlimited.
•Opened or half-opened sessions are limited by parameters and counted separately.
•Opened or half-opened session count includes TCP, UDP, or Internet Control Message Protocol (ICMP) sessions.
•You can limit the number and rate of opened sessions.
•You can only limit the number of half-opened sessions.
How to Configure Firewall Resource Management
•Configuring Firewall Resource Management
Configuring Firewall Resource Management
Perform this task to configure Firewall Resource Management.
Note A global parameter map takes effect on the global routing domain and not at the router level.
SUMMARY STEPS
1. enable
2. configure terminal
3. parameter-map type inspect-vrf vrf-pmap-name
4. session total number
5. tcp syn-flood limit number
6. exit
7. parameter-map type inspect global
8. vrf vrf-name inspect parameter-map-name
9. exit
10. parameter-map type inspect-vrf vrf-default
11. session total number
12. tcp syn-flood limit number
13. end
DETAILED STEPS
|
|
|
Step 1 |
enable
Router> enable |
Enables privileged EXEC mode. •Enter your password if prompted. |
Step 2 |
configure terminal
Router# configure terminal |
Enters global configuration mode. |
Step 3 |
parameter-map type inspect-vrf vrf-pmap-name
Router(config)# parameter-map type inspect-vrf vrf1-pmap |
Configures an inspect VRF-type parameter map and enters profile configuration mode. |
Step 4 |
session total number
Router(config-profile)# session total 1000 |
Configures the total number of sessions. |
Step 5 |
tcp syn-flood limit number
Router(config-profile)# tcp syn-flood limit 2000 |
Limits the number of TCP half-opened sessions that trigger synchronization (SYN) cookie processing for new SYN packets. |
Step 6 |
exit
Router(config-profile)# exit |
Exits profile configuration mode and enters global configuration mode. |
Step 7 |
parameter-map type inspect global
Router(config)# parameter-map type inspect global |
Configures a global parameter map and enters profile configuration mode. |
Step 8 |
vrf vrf-name inspect parameter-map-name
Router(config-profile)# vrf vrf1 inspect vrf1-pmap |
Binds a VRF to the parameter map. |
Step 9 |
exit
Router(config-profile)# exit |
Exits profile configuration mode and enters global configuration mode. |
Step 10 |
parameter-map type inspect-vrf vrf-default
Router(config)# parameter-map type inspect-vrf vrf-default |
Configures a default inspect VRF-type parameter map. |
Step 11 |
session total number
Router(config-profile)# session total 6000 |
Configures the total number of sessions. •You can configure the session total command for an inspect VRF-type parameter map and for a global parameter map. When you configure the session total command for an inspect VRF-type parameter map, the sessions are associated with an inpect VRF-type parameter map. The session total command is applied to the global routing domain when it is configured for a global parameter-map. |
Step 12 |
tcp syn-flood limit number
Router(config-profile)# tcp syn-flood limit 7000 |
Limits the number of TCP half-opened sessions that trigger SYN cookie processing for new SYN packets. |
Step 13 |
end
Router(config-profile)# end |
Exits profile configuration mode and enters privileged EXEC mode. |
Configuration Examples for Firewall Resource Management
•Example: Configuring Firewall Resource Management
Example: Configuring Firewall Resource Management
The following example shows how to configure the Firewall Resource Management feature:
Router# configure terminal
Router(config)# parameter-map type inspect-vrf vrf1-pmap
Router(config-profile)# session total 1000
Router(config-profile)# tcp syn-flood limit 2000
Router(config-profile)# exit
Router(config)# parameter-map type inspect global
Router(config-profile)# vrf vrf1 inspect pmap1
Router(config-profile)# exit
Router(config)# parameter-map type inspect-vrf vrf-default
Router(config-profile)# session total 6000
Router(config-profile)# tcp syn-flood limit 7000
Router(config-profile)# end
Additional References
Related Documents
Standards
MIBs
|
|
None |
To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs |
RFCs
Technical Assistance
|
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
http://www.cisco.com/cisco/web/support/index.html |
Feature Information for Configuring Firewall Resource Management
Table 1 lists the release history for this feature.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 1 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Table 1 Feature Information for Configuring Firewall Resource Management
|
|
|
Firewall Resource Management |
Cisco IOS XE Release 3.3S |
The Firewall Resource Management feature limits the number of VPN Routing and Forwarding (VRF) and global firewall sessions that are configured on a router. The following commands were introduced or modified: parameter-map type inspect-vrf. |
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2011 Cisco Systems, Inc. All rights reserved.