Cisco Security Appliance Command Line Configuration Guide, Version 7.2
Adding and Managing Security Contexts
Downloads: This chapterpdf (PDF - 536.0KB) The complete bookPDF (PDF - 13.04MB) | Feedback

Adding and Managing Security Contexts

Table Of Contents

Adding and Managing Security Contexts

Configuring Resource Management

Classes and Class Members Overview

Resource Limits

Default Class

Class Members

Configuring a Class

Configuring a Security Context

Automatically Assigning MAC Addresses to Context Interfaces

Changing Between Contexts and the System Execution Space

Managing Security Contexts

Removing a Security Context

Changing the Admin Context

Changing the Security Context URL

Reloading a Security Context

Reloading by Clearing the Configuration

Reloading by Removing and Re-adding the Context

Monitoring Security Contexts

Viewing Context Information

Viewing Resource Allocation

Viewing Resource Usage

Monitoring SYN Attacks in Contexts


Adding and Managing Security Contexts


This chapter describes how to configure multiple security contexts on the security appliance, and includes the following sections:

Configuring Resource Management

Configuring a Security Context

Automatically Assigning MAC Addresses to Context Interfaces

Changing Between Contexts and the System Execution Space

Managing Security Contexts

For information about how contexts work and how to enable multiple context mode, see Chapter 3, "Enabling Multiple Context Mode."

Configuring Resource Management

By default, all security contexts have unlimited access to the resources of the security appliance, except where maximum limits per context are enforced. However, if you find that one or more contexts use too many resources, and they cause other contexts to be denied connections, for example, then you can configure resource management to limit the use of resources per context.

This section includes the following topics:

Classes and Class Members Overview

Configuring a Class

Classes and Class Members Overview

The security appliance manages resources by assigning contexts to resource classes. Each context uses the resource limits set by the class. This section includes the following topics:

Resource Limits

Default Class

Class Members

Resource Limits

When you create a class, the security appliance does not set aside a portion of the resources for each context assigned to the class; rather, the security appliance sets the maximum limit for a context. If you oversubscribe resources, or allow some resources to be unlimited, a few contexts can "use up" those resources, potentially affecting service to other contexts.

You can set the limit for individual resources, as a percentage (if there is a hard system limit) or as an absolute value.

You can oversubscribe the security appliance by assigning more than 100 percent of a resource across all contexts. For example, you can set the Bronze class to limit connections to 20 percent per context, and then assign 10 contexts to the class for a total of 200 percent. If contexts concurrently use more than the system limit, then each context gets less than the 20 percent you intended. (See Figure 6-1.)

Figure 6-1 Resource Oversubscription

If you assign an absolute value to a resource across all contexts that exceeds the practical limit of the security appliance, then the performance of the security appliance might be impaired.

The security appliance lets you assign unlimited access to one or more resources in a class, instead of a percentage or absolute number. When a resource is unlimited, contexts can use as much of the resource as the system has available or that is practically available. For example, Context A, B, and C are in the Silver Class, which limits each class member to 1 percent of the connections, for a total of 3 percent; but the three contexts are currently only using 2 percent combined. Gold Class has unlimited access to connections. The contexts in the Gold Class can use more than the 97 percent of "unassigned" connections; they can also use the 1 percent of connections not currently in use by Context A, B, and C, even if that means that Context A, B, and C are unable to reach their 3 percent combined limit. (See Figure 6-2.) Setting unlimited access is similar to oversubscribing the security appliance, except that you have less control over how much you oversubscribe the system.

Figure 6-2 Unlimited Resources

Default Class

All contexts belong to the default class if they are not assigned to another class; you do not have to actively assign a context to the default class.

If a context belongs to a class other than the default class, those class settings always override the default class settings. However, if the other class has any settings that are not defined, then the member context uses the default class for those limits. For example, if you create a class with a 2 percent limit for all concurrent connections, but no other limits, then all other limits are inherited from the default class. Conversely, if you create a class with a limit for all resources, the class uses no settings from the default class.

By default, the default class provides unlimited access to resources for all contexts, except for the following limits, which are by default set to the maximum allowed per context:

Telnet sessions—5 sessions.

SSH sessions—5 sessions.

IPSec sessions—5 sessions.

MAC addresses—65,535 entries.

Figure 6-3 shows the relationship between the default class and other classes. Contexts A and C belong to classes with some limits set; other limits are inherited from the default class. Context B inherits no limits from default because all limits are set in its class, the Gold class. Context D was not assigned to a class, and is by default a member of the default class.

Figure 6-3 Resource Classes

Class Members

To use the settings of a class, assign the context to the class when you define the context. All contexts belong to the default class if they are not assigned to another class; you do not have to actively assign a context to default. You can only assign a context to one resource class. The exception to this rule is that limits that are undefined in the member class are inherited from the default class; so in effect, a context could be a member of default plus another class.

Configuring a Class

To configure a class in the system configuration, perform the following steps. You can change the value of a particular resource limit by reentering the command with a new value.


Step 1 To specify the class name and enter the class configuration mode, enter the following command in the system execution space:

hostname(config)# class name

The name is a string up to 20 characters long. To set the limits for the default class, enter default for the name.

Step 2 To set the resource limits, see the following options:

To set all resource limits (shown in Table 6-1) to be unlimited, enter the following command:

hostname(config-resmgmt)# limit-resource all 0

For example, you might want to create a class that includes the admin context that has no limitations. The default class has all resources set to unlimited by default.

To set a particular resource limit, enter the following command:

hostname(config-resmgmt)# limit-resource [rate] resource_name number[%]

For this particular resource, the limit overrides the limit set for all. Enter the rate argument to set the rate per second for certain resources. For resources that do not have a system limit, you cannot set the percentage (%) between 1 and 100; you can only set an absolute value. See Table 6-1 for resources for which you can set the rate per second and which to not have a system limit.

Table 6-1 lists the resource types and the limits. See also the show resource types command.

Table 6-1 Resource Names and Limits 

Resource Name
Rate or Concurrent
Minimum and Maximum Number per Context
System Limit 1
Description

mac-addresses

Concurrent

N/A

65,535

For transparent firewall mode, the number of MAC addresses allowed in the MAC address table.

conns

Concurrent or Rate

N/A

Concurrent connections: See the "Supported Platforms and Feature Licenses" section on page A-1 for the connection limit for your platform.

Rate: N/A

TCP or UDP connections between any two hosts, including connections between one host and multiple other hosts.

inspects

Rate

N/A

N/A

Application inspections.

hosts

Concurrent

N/A

N/A

Hosts that can connect through the security appliance.

asdm

Concurrent

1 minimum

5 maximum

32

ASDM management sessions.

Note ASDM sessions use two HTTPS connections: one for monitoring that is always present, and one for making configuration changes that is present only when you make changes. For example, the system limit of 32 ASDM sessions represents a limit of 64 HTTPS sessions.

ssh

Concurrent

1 minimum

5 maximum

100

SSH sessions.

syslogs

Rate

N/A

N/A

System log messages.

telnet

Concurrent

1 minimum

5 maximum

100

Telnet sessions.

xlates

Concurrent

N/A

N/A

Address translations.

1 If this column value is N/A, then you cannot set a percentage of the resource because there is no hard system limit for the resource.



For example, to set the default class limit for conns to 10 percent instead of unlimited, enter the following commands:

hostname(config)# class default
hostname(config-class)# limit-resource conns 10%

All other resources remain at unlimited.

To add a class called gold, enter the following commands:

hostname(config)# class gold
hostname(config-class)# limit-resource mac-addresses 10000
hostname(config-class)# limit-resource conns 15%
hostname(config-class)# limit-resource rate conns 1000
hostname(config-class)# limit-resource rate inspects 500
hostname(config-class)# limit-resource hosts 9000
hostname(config-class)# limit-resource asdm 5
hostname(config-class)# limit-resource ssh 5
hostname(config-class)# limit-resource rate syslogs 5000
hostname(config-class)# limit-resource telnet 5
hostname(config-class)# limit-resource xlates 36000

Configuring a Security Context

The security context definition in the system configuration identifies the context name, configuration file URL, and interfaces that a context can use.


Note If you do not have an admin context (for example, if you clear the configuration) then you must first specify the admin context name by entering the following command:

hostname(config)# admin-context name

Although this context name does not exist yet in your configuration, you can subsequently enter the context name command to match the specified name to continue the admin context configuration.


To add or change a context in the system configuration, perform the following steps:


Step 1 To add or modify a context, enter the following command in the system execution space:

hostname(config)# context name

The name is a string up to 32 characters long. This name is case sensitive, so you can have two contexts named "customerA" and "CustomerA," for example. You can use letters, digits, or hyphens, but you cannot start or end the name with a hyphen.

"System" or "Null" (in upper or lower case letters) are reserved names, and cannot be used.

Step 2 (Optional) To add a description for this context, enter the following command:

hostname(config-ctx)# description text

Step 3 To specify the interfaces you can use in the context, enter the command appropriate for a physical interface or for one or more subinterfaces.

To allocate a physical interface, enter the following command:

hostname(config-ctx)# allocate-interface physical_interface [map_name] 
[visible | invisible]

To allocate one or more subinterfaces, enter the following command:

hostname(config-ctx)# allocate-interface 
physical_interface.subinterface[-physical_interface.subinterface] 
[map_name[-map_name]] [visible | invisible]

You can enter these commands multiple times to specify different ranges. If you remove an allocation with the no form of this command, then any context commands that include this interface are removed from the running configuration.

Transparent firewall mode allows only two interfaces to pass through traffic; however, on the ASA adaptive security appliance, you can use the dedicated management interface, Management 0/0, (either the physical interface or a subinterface) as a third interface for management traffic.


Note The management interface for transparent mode does not flood a packet out the interface when that packet is not in the MAC address table.


You can assign the same interfaces to multiple contexts in routed mode, if desired. Transparent mode does not allow shared interfaces.

The map_name is an alphanumeric alias for the interface that can be used within the context instead of the interface ID. If you do not specify a mapped name, the interface ID is used within the context. For security purposes, you might not want the context administrator to know which interfaces are being used by the context.

A mapped name must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, or an underscore. For example, you can use the following names:

int0

inta

int_0

For subinterfaces, you can specify a range of mapped names.

If you specify a range of subinterfaces, you can specify a matching range of mapped names. Follow these guidelines for ranges:

The mapped name must consist of an alphabetic portion followed by a numeric portion. The alphabetic portion of the mapped name must match for both ends of the range. For example, enter the following range:

int0-int10

If you enter gigabitethernet0/1.1-gigabitethernet0/1.5 happy1-sad5, for example, the command fails.

The numeric portion of the mapped name must include the same quantity of numbers as the subinterface range. For example, both ranges include 100 interfaces:

gigabitethernet0/0.100-gigabitethernet0/0.199 int1-int100

If you enter gigabitethernet0/0.100-gigabitethernet0/0.199 int1-int15, for example, the command fails.

Specify visible to see physical interface properties in the show interface command even if you set a mapped name. The default invisible keyword specifies to only show the mapped name.

The following example shows gigabitethernet0/1.100, gigabitethernet0/1.200, and gigabitethernet0/2.300 through gigabitethernet0/1.305 assigned to the context. The mapped names are int1 through int8.

hostname(config-ctx)# allocate-interface gigabitethernet0/1.100 int1
hostname(config-ctx)# allocate-interface gigabitethernet0/1.200 int2
hostname(config-ctx)# allocate-interface gigabitethernet0/2.300-gigabitethernet0/2.305 
int3-int8

Step 4 To identify the URL from which the system downloads the context configuration, enter the following command:

hostname(config-ctx)# config-url url

When you add a context URL, the system immediately loads the context so that it is running, if the configuration is available.


Note Enter the allocate-interface command(s) before you enter the config-url command. The security appliance must assign interfaces to the context before it loads the context configuration; the context configuration might include commands that refer to interfaces (interface, nat, global...). If you enter the config-url command first, the security appliance loads the context configuration immediately. If the context contains any commands that refer to interfaces, those commands fail.


See the following URL syntax:

disk:/[path/]filename

This URL indicates the internal Flash memory. The filename does not require a file extension, although we recommend using ".cfg". If the configuration file is not available, you see the following message:

WARNING: Could not fetch the URL disk:/url
INFO: Creating context with default config

You can then change to the context, configure it at the CLI, and enter the write memory command to write the file to Flash memory.


Note The admin context file must be stored on the internal Flash memory.


ftp://[user[:password]@]server[:port]/[path/]filename[;type=xx]

The type can be one of the following keywords:

ap—ASCII passive mode

an—ASCII normal mode

ip—(Default) Binary passive mode

in—Binary normal mode

The server must be accessible from the admin context. The filename does not require a file extension, although we recommend using ".cfg". If the configuration file is not available, you see the following message:

WARNING: Could not fetch the URL ftp://url
INFO: Creating context with default config

You can then change to the context, configure it at the CLI, and enter the write memory command to write the file to the FTP server.

http[s]://[user[:password]@]server[:port]/[path/]filename

The server must be accessible from the admin context. The filename does not require a file extension, although we recommend using ".cfg". If the configuration file is not available, you see the following message:

WARNING: Could not fetch the URL http://url
INFO: Creating context with default config

If you change to the context and configure the context at the CLI, you cannot save changes back to HTTP or HTTPS servers using the write memory command. You can, however, use the copy tftp command to copy the running configuration to a TFTP server.

tftp://[user[:password]@]server[:port]/[path/]filename[;int=interface_name]

The server must be accessible from the admin context. Specify the interface name if you want to override the route to the server address. The filename does not require a file extension, although we recommend using ".cfg". If the configuration file is not available, you see the following message:

WARNING: Could not fetch the URL tftp://url
INFO: Creating context with default config

You can then change to the context, configure it at the CLI, and enter the write memory command to write the file to the TFTP server.

To change the URL, reenter the config-url command with a new URL.

See the "Changing the Security Context URL" section for more information about changing the URL.

For example, enter the following command:

hostname(config-ctx)# config-url ftp://joe:passw0rd1@10.1.1.1/configlets/test.cfg

Step 5 (Optional) To assign the context to a resource class, enter the following command:

hostname(config-ctx)# member class_name

If you do not specify a class, the context belongs to the default class. You can only assign a context to one resource class.

For example, to assign the context to the gold class, enter the following command:

hostname(config-ctx)# member gold

Step 6 To view context information, see the show context command in the Cisco Security Appliance Command Reference.


The following example sets the admin context to be "administrator," creates a context called "administrator" on the internal Flash memory, and then adds two contexts from an FTP server:

hostname(config)# admin-context administrator
hostname(config)# context administrator
hostname(config-ctx)# allocate-interface gigabitethernet0/0.1
hostname(config-ctx)# allocate-interface gigabitethernet0/1.1
hostname(config-ctx)# config-url flash:/admin.cfg

hostname(config-ctx)# context test
hostname(config-ctx)# allocate-interface gigabitethernet0/0.100 int1
hostname(config-ctx)# allocate-interface gigabitethernet0/0.102 int2
hostname(config-ctx)# allocate-interface gigabitethernet0/0.110-gigabitethernet0/0.115 
int3-int8
hostname(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/test.cfg
hostname(config-ctx)# member gold


hostname(config-ctx)# context sample
hostname(config-ctx)# allocate-interface gigabitethernet0/1.200 int1
hostname(config-ctx)# allocate-interface gigabitethernet0/1.212 int2
hostname(config-ctx)# allocate-interface gigabitethernet0/1.230-gigabitethernet0/1.235 
int3-int8
hostname(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/sample.cfg
hostname(config-ctx)# member silver


Automatically Assigning MAC Addresses to Context Interfaces

To allow contexts to share interfaces, we suggest that you assign unique MAC addresses to each context interface. The MAC address is used to classify packets within a context. If you share an interface, but do not have unique MAC addresses for the interface in each context, then the destination IP address is used to classify packets. The destination address is matched with the context NAT configuration, and this method has some limitations compared to the MAC address method. See the "How the Security Appliance Classifies Packets" section on page 3-3 for information about classifying packets.

By default, the physical interface uses the burned-in MAC address, and all subinterfaces of a physical interface use the same burned-in MAC address.

You can automatically assign private MAC addresses to each shared context interface by entering the following command in the system configuration:

hostname(config)# mac-address auto

For use with failover, the security appliance generates both an active and standby MAC address for each interface. If the active unit fails over and the standby unit becomes active, the new active unit starts using the active MAC addresses to minimize network disruption.

When you assign an interface to a context, the new MAC address is generated immediately. If you enable this command after you create context interfaces, then MAC addresses are generated for all interfaces immediately after you enter the command. If you use the no mac-address auto command, the MAC address for each interface reverts to the default MAC address. For example, subinterfaces of GigabitEthernet 0/1 revert to using the MAC address of GigabitEthernet 0/1.

The MAC address is generated using the following format:

Active unit MAC address: 12_slot.port_subid.contextid.

Standby unit MAC address: 02_slot.port_subid.contextid.

For platforms with no interface slots, the slot is always 0. The port is the interface port. The subid is an internal ID for the subinterface, which is not viewable. The contextid is an internal ID for the context, viewable with the show context detail command. For example, the interface GigabitEthernet 0/1.200 in the context with the ID 1 has the following generated MAC addresses, where the internal ID for subinterface 200 is 31:

Active: 1200.0131.0001

Standby: 0200.0131.0001

In the rare circumstance that the generated MAC address conflicts with another private MAC address in your network, you can manually set the MAC address for the interface within the context. See the "Configuring the Interface" section on page 7-2 to manually set the MAC address.

Changing Between Contexts and the System Execution Space

If you log in to the system execution space (or the admin context using Telnet or SSH), you can change between contexts and perform configuration and monitoring tasks within each context. The running configuration that you edit in a configuration mode, or that is used in the copy or write commands, depends on your location. When you are in the system execution space, the running configuration consists only of the system configuration; when you are in a context, the running configuration consists only of that context. For example, you cannot view all running configurations (system plus all contexts) by entering the show running-config command. Only the current configuration displays.

To change between the system execution space and a context, or between contexts, see the following commands:

To change to a context, enter the following command:

hostname# changeto context name

The prompt changes to the following:

hostname/name#

To change to the system execution space, enter the following command:

hostname/admin# changeto system

The prompt changes to the following:

hostname#

Managing Security Contexts

This section describes how to manage security contexts, and includes the following topics:

Removing a Security Context

Changing the Admin Context

Changing the Security Context URL

Reloading a Security Context

Monitoring Security Contexts

Removing a Security Context

You can only remove a context by editing the system configuration. You cannot remove the current admin context, unless you remove all contexts using the clear context command.


Note If you use failover, there is a delay between when you remove the context on the active unit and when the context is removed on the standby unit. You might see an error message indicating that the number of interfaces on the active and standby units are not consistent; this error is temporary and can be ignored.


Use the following commands for removing contexts:

To remove a single context, enter the following command in the system execution space:

hostname(config)# no context name

All context commands are also removed.

To remove all contexts (including the admin context), enter the following command in the system execution space:

hostname(config)# clear context

Changing the Admin Context

The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context.

The admin context is just like any other context, except that when a user logs in to the admin context, then that user has system administrator rights and can access the system and all other contexts. The admin context is not restricted in any way, and can be used as a regular context. However, because logging into the admin context grants you administrator privileges over all contexts, you might need to restrict access to the admin context to appropriate users.

You can set any context to be the admin context, as long as the configuration file is stored in the internal Flash memory. To set the admin context, enter the following command in the system execution space:

hostname(config)# admin-context context_name

Any remote management sessions, such as Telnet, SSH, or HTTPS, that are connected to the admin context are terminated. You must reconnect to the new admin context.


Note A few system commands, including ntp server, identify an interface name that belongs to the admin context. If you change the admin context, and that interface name does not exist in the new admin context, be sure to update any system commands that refer to the interface.


Changing the Security Context URL

You cannot change the security context URL without reloading the configuration from the new URL.

The security appliance merges the new configuration with the current running configuration. Reentering the same URL also merges the saved configuration with the running configuration. A merge adds any new commands from the new configuration to the running configuration. If the configurations are the same, no changes occur. If commands conflict or if commands affect the running of the context, then the effect of the merge depends on the command. You might get errors, or you might have unexpected results. If the running configuration is blank (for example, if the server was unavailable and the configuration was never downloaded), then the new configuration is used. If you do not want to merge the configurations, you can clear the running configuration, which disrupts any communications through the context, and then reload the configuration from the new URL.

To change the URL for a context, perform the following steps:


Step 1 If you do not want to merge the configuration, change to the context and clear its configuration by entering the following commands. If you want to perform a merge, skip to Step 2.

hostname# changeto context name
hostname/name# configure terminal
hostname/name(config)# clear configure all

Step 2 If required, change to the system execution space by entering the following command:

hostname/name(config)# changeto system

Step 3 To enter the context configuration mode for the context you want to change, enter the following command:

hostname(config)# context name

Step 4 To enter the new URL, enter the following command:

hostname(config)# config-url new_url

The system immediately loads the context so that it is running.


Reloading a Security Context

You can reload the context in two ways:

Clear the running configuration and then import the startup configuration.

This action clears most attributes associated with the context, such as connections and NAT tables.

Remove the context from the system configuration.

This action clears additional attributes, such as memory allocation, which might be useful for troubleshooting. However, to add the context back to the system requires you to respecify the URL and interfaces.

This section includes the following topics:

Reloading by Clearing the Configuration

Reloading by Removing and Re-adding the Context

Reloading by Clearing the Configuration

To reload the context by clearing the context configuration, and reloading the configuration from the URL, perform the following steps:


Step 1 To change to the context that you want to reload, enter the following command:

hostname# changeto context name

Step 2 To access configuration mode, enter the following command:

hostname/name# configure terminal

Step 3 To clear the running configuration, enter the following command:

hostname/name(config)# clear configure all

This command clears all connections.

Step 4 To reload the configuration, enter the following command:

hostname/name(config)# copy startup-config running-config

The security appliance copies the configuration from the URL specified in the system configuration. You cannot change the URL from within a context.


Reloading by Removing and Re-adding the Context

To reload the context by removing the context and then re-adding it, perform the steps in the following sections:

1. "Automatically Assigning MAC Addresses to Context Interfaces" section

2. "Configuring a Security Context" section

Monitoring Security Contexts

This section describes how to view and monitor context information, and includes the following topics:

Viewing Context Information

Viewing Resource Allocation

Viewing Resource Usage

Monitoring SYN Attacks in Contexts

Viewing Context Information

From the system execution space, you can view a list of contexts including the name, allocated interfaces, and configuration file URL.

From the system execution space, view all contexts by entering the following command:

hostname# show context [name | detailcount]

The detail option shows additional information. See the following sample displays below for more information.

If you want to show information for a particular context, specify the name.

The count option shows the total number of contexts.

The following is sample output from the show context command. The following sample display shows three contexts:

hostname# show context

Context Name      Interfaces                    URL
*admin            GigabitEthernet0/1.100        disk0:/admin.cfg
                  GigabitEthernet0/1.101
contexta          GigabitEthernet0/1.200        disk0:/contexta.cfg
                  GigabitEthernet0/1.201
contextb          GigabitEthernet0/1.300        disk0:/contextb.cfg
                  GigabitEthernet0/1.301
Total active Security Contexts: 3

Table 6-2 shows each field description.

Table 6-2 show context Fields

Field
Description

Context Name

Lists all context names. The context name with the asterisk (*) is the admin context.

Interfaces

The interfaces assigned to the context.

URL

The URL from which the security appliance loads the context configuration.


The following is sample output from the show context detail command:

hostname# show context detail

Context "admin", has been created, but initial ACL rules not complete
  Config URL: disk0:/admin.cfg
  Real Interfaces: Management0/0
  Mapped Interfaces: Management0/0
  Flags: 0x00000013, ID: 1

Context "ctx", has been created, but initial ACL rules not complete
  Config URL: ctx.cfg
  Real Interfaces: GigabitEthernet0/0.10, GigabitEthernet0/1.20,
     GigabitEthernet0/2.30
  Mapped Interfaces: int1, int2, int3
  Flags: 0x00000011, ID: 2

Context "system", is a system resource
  Config URL: startup-config
  Real Interfaces:
  Mapped Interfaces: Control0/0, GigabitEthernet0/0,
     GigabitEthernet0/0.10, GigabitEthernet0/1, GigabitEthernet0/1.10,
     GigabitEthernet0/1.20, GigabitEthernet0/2, GigabitEthernet0/2.30,
     GigabitEthernet0/3, Management0/0, Management0/0.1
  Flags: 0x00000019, ID: 257

Context "null", is a system resource
  Config URL: ... null ...
  Real Interfaces:
  Mapped Interfaces:
  Flags: 0x00000009, ID: 258

See the Cisco Security Appliance Command Reference for more information about the detail output.

The following is sample output from the show context count command:

hostname# show context count
Total active contexts: 2

Viewing Resource Allocation

From the system execution space, you can view the allocation for each resource across all classes and class members.

To view the resource allocation, enter the following command:

hostname# show resource allocation [detail]

This command shows the resource allocation, but does not show the actual resources being used. See the "Viewing Resource Usage" section for more information about actual resource usage.

The detail argument shows additional information. See the following sample displays for more information.

The following sample display shows the total allocation of each resource as an absolute value and as a percentage of the available system resources:

hostname# show resource allocation
Resource                    Total       % of Avail
 Conns [rate]               35000           N/A
 Inspects [rate]              35000           N/A
 Syslogs [rate]             10500           N/A
 Conns                     305000           30.50%
 Hosts                      78842           N/A
 SSH                           35           35.00%
 Telnet                        35           35.00%
 Xlates                     91749           N/A
 All                    unlimited 

Table 6-3 shows each field description.

Table 6-3 show resource allocation Fields

Field
Description

Resource

The name of the resource that you can limit.

Total

The total amount of the resource that is allocated across all contexts. The amount is an absolute number of concurrent instances or instances per second. If you specified a percentage in the class definition, the security appliance converts the percentage to an absolute number for this display.

% of Avail

The percentage of the total system resources that is allocated across all contexts, if the resource has a hard system limit. If a resource does not have a system limit, this column shows N/A.


The following is sample output from the show resource allocation detail command:

hostname# show resource allocation detail
Resource Origin:
    A    Value was derived from the resource 'all'
    C    Value set in the definition of this class
    D    Value set in default class
Resource         Class          Mmbrs  Origin      Limit      Total    Total %
Conns [rate]     default          all      CA  unlimited                     
                 gold               1       C      34000      34000     N/A
                 silver             1      CA      17000      17000     N/A
                 bronze             0      CA       8500                     
                 All Contexts:      3                         51000     N/A

Inspects [rate]  default          all      CA  unlimited                     
                 gold               1      DA  unlimited                     
                 silver             1      CA      10000      10000     N/A
                 bronze             0      CA       5000                     
                 All Contexts:      3                         10000     N/A

Syslogs [rate]   default          all      CA  unlimited                     
                 gold               1       C       6000       6000     N/A
                 silver             1      CA       3000       3000     N/A
                 bronze             0      CA       1500                     
                 All Contexts:      3                          9000     N/A

Conns            default          all      CA  unlimited                     
                 gold               1       C     200000     200000     20.00%
                 silver             1      CA     100000     100000     10.00%
                 bronze             0      CA      50000                     
                 All Contexts:      3                        300000     30.00%

Hosts            default          all      CA  unlimited                     
                 gold               1      DA  unlimited                     
                 silver             1      CA      26214      26214      N/A
                 bronze             0      CA      13107                     
                 All Contexts:      3                         26214      N/A

SSH              default          all       C          5                     
                 gold               1       D          5          5      5.00%
                 silver             1      CA         10         10     10.00%
                 bronze             0      CA          5                     
                 All Contexts:      3                            20     20.00%

Telnet           default          all       C          5                     
                 gold               1       D          5          5      5.00%
                 silver             1      CA         10         10     10.00%
                 bronze             0      CA          5                     
                 All Contexts:      3                            20     20.00%

Xlates           default          all      CA  unlimited                     
                 gold               1      DA  unlimited                     
                 silver             1      CA      23040      23040     N/A
                 bronze             0      CA      11520                     
                 All Contexts:      3                         23040     N/A

mac-addresses    default          all       C      65535                     
                 gold               1       D      65535      65535    100.00%
                 silver             1      CA       6553       6553      9.99%
                 bronze             0      CA       3276                     
                 All Contexts:      3                        137623    209.99%

Table 6-4 shows each field description.

Table 6-4 show resource allocation detail Fields

Field
Description

Resource

The name of the resource that you can limit.

Class

The name of each class, including the default class.

The All contexts field shows the total values across all classes.

Mmbrs

The number of contexts assigned to each class.

Origin

The origin of the resource limit, as follows:

A—You set this limit with the all option, instead of as an individual resource.

C—This limit is derived from the member class.

D—This limit was not defined in the member class, but was derived from the default class. For a context assigned to the default class, the value will be "C" instead of "D."

The security appliance can combine "A" with "C" or "D."

Limit

The limit of the resource per context, as an absolute number. If you specified a percentage in the class definition, the security appliance converts the percentage to an absolute number for this display.

Total

The total amount of the resource that is allocated across all contexts in the class. The amount is an absolute number of concurrent instances or instances per second. If the resource is unlimited, this display is blank.

% of Avail

The percentage of the total system resources that is allocated across all contexts in the class. If the resource is unlimited, this display is blank. If the resource does not have a system limit, then this column shows N/A.


Viewing Resource Usage

From the system execution space, you can view the resource usage for each context and display the system resource usage.

From the system execution space, view the resource usage for each context by entering the following command:

hostname# show resource usage [context context_name | top n | all | summary | system] 
[resource {resource_name | all} | detail] [counter counter_name [count_threshold]]

By default, all context usage is displayed; each context is listed separately.

Enter the top n keyword to show the contexts that are the top n users of the specified resource. You must specify a single resource type, and not resource all, with this option.

The summary option shows all context usage combined.

The system option shows all context usage combined, but shows the system limits for resources instead of the combined context limits.

For the resource resource_name, see Table 6-1 for available resource names. See also the show resource type command. Specify all (the default) for all types.

The detail option shows the resource usage of all resources, including those you cannot manage. For example, you can view the number of TCP intercepts.

The counter counter_name is one of the following keywords:

current—Shows the active concurrent instances or the current rate of the resource.

denied—Shows the number of instances that were denied because they exceeded the resource limit shown in the Limit column.

peak—Shows the peak concurrent instances, or the peak rate of the resource since the statistics were last cleared, either using the clear resource usage command or because the device rebooted.

all—(Default) Shows all statistics.

The count_threshold sets the number above which resources are shown. The default is 1. If the usage of the resource is below the number you set, then the resource is not shown. If you specify all for the counter name, then the count_threshold applies to the current usage.


Note To show all resources, set the count_threshold to 0.


The following is sample output from the show resource usage context command, which shows the resource usage for the admin context:

hostname# show resource usage context admin

Resource              Current         Peak      Limit    Denied  Context
Telnet                      1            1          5         0  admin
Conns                      44           55        N/A         0  admin
Hosts                      45           56        N/A         0  admin

The following is sample output from the show resource usage summary command, which shows the resource usage for all contexts and all resources. This sample shows the limits for 6 contexts.

hostname# show resource usage summary

Resource              Current         Peak      Limit     Denied Context
Syslogs [rate]           1743         2132      N/A            0 Summary
Conns                     584          763      280000(S)      0 Summary
Xlates                   8526         8966      N/A            0 Summary
Hosts                     254          254      N/A            0 Summary
Conns [rate]              270          535      N/A         1704 Summary
Inspects [rate]           270          535      N/A            0 Summary
S = System: Combined context limits exceed the system limit; the system limit is shown.

The following is sample output from the show resource usage summary command, which shows the limits for 25 contexts. Because the context limit for Telnet and SSH connections is 5 per context, then the combined limit is 125. The system limit is only 100, so the system limit is shown.

hostname# show resource usage summary

Resource              Current         Peak      Limit    Denied   Context
Telnet                      1            1        100[S]      0   Summary
SSH                         2            2        100[S]      0   Summary
Conns                      56           90        N/A         0   Summary
Hosts                      89          102        N/A         0   Summary
S = System: Combined context limits exceed the system limit; the system limit is shown.

The following is sample output from the show resource usage system command, which shows the resource usage for all contexts, but it shows the system limit instead of the combined context limits. The counter all 0 option is used to show resources that are not currently in use. The Denied statistics indicate how many times the resource was denied due to the system limit, if available.

hostname# show resource usage system counter all 0

Resource              Current         Peak      Limit        Denied    Context
Telnet                      0            0        100             0    System
SSH                         0            0        100             0    System
ASDM                        0            0         32             0    System
Syslogs [rate]              1           18        N/A             0    System
Conns                       0            1     280000             0    System
Xlates                      0            0        N/A             0    System
Hosts                       0            2        N/A             0    System
Conns [rate]                1            1        N/A             0    System
Inspects [rate]             0            0        N/A             0    System

Monitoring SYN Attacks in Contexts

The security appliance prevents SYN attacks using TCP Intercept. TCP Intercept uses the SYN cookies algorithm to prevent TCP SYN-flooding attacks. A SYN-flooding attack consists of a series of SYN packets usually originating from spoofed IP addresses. The constant flood of SYN packets keeps the server SYN queue full, which prevents it from servicing connection requests. When the embryonic connection threshold of a connection is crossed, the security appliance acts as a proxy for the server and generates a SYN-ACK response to the client SYN request. When the security appliance receives an ACK back from the client, it can then authenticate the client and allow the connection to the server.

You can monitor the rate of attacks for individual contexts using the show perfmon command; you can monitor the amount of resources being used by TCP intercept for individual contexts using the show resource usage detail command; you can monitor the resources being used by TCP intercept for the entire system using the show resource usage summary detail command.

The following is sample output from the show perfmon command that shows the rate of TCP intercepts for a context called admin.

hostname/admin# show perfmon
 
Context:admin
PERFMON STATS:   Current      Average
Xlates               0/s          0/s
Connections          0/s          0/s
TCP Conns            0/s          0/s
UDP Conns            0/s          0/s
URL Access           0/s          0/s
URL Server Req       0/s          0/s
WebSns Req           0/s          0/s
TCP Fixup            0/s          0/s
HTTP Fixup           0/s          0/s
FTP Fixup            0/s          0/s
AAA Authen           0/s          0/s
AAA Author           0/s          0/s
AAA Account          0/s          0/s
TCP Intercept    322779/s      322779/s

The following is sample output from the show resource usage detail command that shows the amount of resources being used by TCP Intercept for individual contexts. (Sample text in italics shows the TCP intercept information.)

hostname(config)# show resource usage detail        
Resource              Current         Peak      Limit        Denied Context
memory                 843732       847288  unlimited             0 admin
chunk:channels             14           15  unlimited             0 admin
chunk:fixup                15           15  unlimited             0 admin
chunk:hole                  1            1  unlimited             0 admin
chunk:ip-users             10           10  unlimited             0 admin
chunk:list-elem            21           21  unlimited             0 admin
chunk:list-hdr              3            4  unlimited             0 admin
chunk:route                 2            2  unlimited             0 admin
chunk:static                1            1  unlimited             0 admin
tcp-intercepts         328787       803610  unlimited             0 admin
np-statics                  3            3  unlimited             0 admin
statics                     1            1  unlimited             0 admin
ace-rules                   1            1  unlimited             0 admin
console-access-rul          2            2  unlimited             0 admin
fixup-rules                14           15  unlimited             0 admin
memory                 959872       960000  unlimited             0 c1
chunk:channels             15           16  unlimited             0 c1
chunk:dbgtrace              1            1  unlimited             0 c1
chunk:fixup                15           15  unlimited             0 c1
chunk:global                1            1  unlimited             0 c1
chunk:hole                  2            2  unlimited             0 c1
chunk:ip-users             10           10  unlimited             0 c1
chunk:udp-ctrl-blk          1            1  unlimited             0 c1
chunk:list-elem            24           24  unlimited             0 c1
chunk:list-hdr              5            6  unlimited             0 c1
chunk:nat                   1            1  unlimited             0 c1
chunk:route                 2            2  unlimited             0 c1
chunk:static                1            1  unlimited             0 c1
tcp-intercept-rate      16056        16254  unlimited             0 c1
globals                     1            1  unlimited             0 c1
np-statics                  3            3  unlimited             0 c1
statics                     1            1  unlimited             0 c1
nats                        1            1  unlimited             0 c1
ace-rules                   2            2  unlimited             0 c1
console-access-rul          2            2  unlimited             0 c1
fixup-rules                14           15  unlimited             0 c1
memory              232695716    232020648  unlimited             0 system
chunk:channels             17           20  unlimited             0 system
chunk:dbgtrace              3            3  unlimited             0 system
chunk:fixup                15           15  unlimited             0 system
chunk:ip-users              4            4  unlimited             0 system
chunk:list-elem          1014         1014  unlimited             0 system
chunk:list-hdr              1            1  unlimited             0 system
chunk:route                 1            1  unlimited             0 system
block:16384               510          885  unlimited             0 system
block:2048                 32           34  unlimited             0 system

The following sample output shows the resources being used by TCP intercept for the entire system. (Sample text in italics shows the TCP intercept information.)

hostname(config)# show resource usage summary detail
Resource              Current         Peak      Limit        Denied Context
memory              238421312    238434336  unlimited             0 Summary
chunk:channels             46           48  unlimited             0 Summary
chunk:dbgtrace              4            4  unlimited             0 Summary
chunk:fixup                45           45  unlimited             0 Summary
chunk:global                1            1  unlimited             0 Summary
chunk:hole                  3            3  unlimited             0 Summary
chunk:ip-users             24           24  unlimited             0 Summary
chunk:udp-ctrl-blk          1            1  unlimited             0 Summary
chunk:list-elem          1059         1059  unlimited             0 Summary
chunk:list-hdr             10           11  unlimited             0 Summary
chunk:nat                   1            1  unlimited             0 Summary
chunk:route                 5            5  unlimited             0 Summary
chunk:static                2            2  unlimited             0 Summary
block:16384               510          885  unlimited             0 Summary
block:2048                 32           35  unlimited             0 Summary
tcp-intercept-rate     341306       811579  unlimited             0 Summary
globals                     1            1  unlimited             0 Summary
np-statics                  6            6  unlimited             0 Summary
statics                     2            2        N/A             0 Summary
nats                        1            1        N/A             0 Summary
ace-rules                   3            3        N/A             0 Summary
console-access-rul          4            4        N/A             0 Summary
fixup-rules                43           44        N/A             0 Summary