Cisco IOS XR Virtual Firewall Configuration Guide, Release 3.7
Configuring TCP/IP Normalization and IP Reassembly Parameters on the Virtual Firewall
Download this chapter
Configuring TCP/IP Normalization and IP Reassembly Parameters on the Virtual FirewallConfiguring TCP/IP Normalization and IP Reassembly Parameters on the Virtual Firewall
Download the complete book
Cisco IOS XR Virtual Firewall Configuration GuideCisco IOS XR Virtual Firewall Configuration Guide (PDF - 4 MB)
give_us_feedback

Table Of Contents

Configuring TCP/IP Normalization and IP Reassembly Parameters on the Virtual Firewall

Contents

Information About TCP Normalization

Information About IP Normalization

How to Configure TCP/IP Normalization and Reassembly Parameters

Configuring TCP/IP Normalization and Termination

Prerequisites

Troubleshooting Tip

Configuring IP Fragment Reassembly Parameters

Prerequisites

Displaying Configurations and Statistics for TCP/IP and UDP Connections and IP Reassembly

Prerequisites

Clearing Connections and Statistics

Prerequisites

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance


Configuring TCP/IP Normalization and IP Reassembly Parameters on the Virtual Firewall

This module describes how to configure TCP/IP normalization and termination parameters to protect your Cisco IOS XR software and the data center from attacks. It also describes IP fragmentation and reassembly parameters.

Feature History for Configuring TCP/IP Normalization and IP Reassembly Parameters on the VFW Application

Release
Modification

Release 3.5.0

This feature was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.

Release 3.6.0

No modification.

Release 3.7.0

No modification.


Contents

Information About TCP Normalization

Information About IP Normalization

How to Configure TCP/IP Normalization and Reassembly Parameters

Additional References

Information About TCP Normalization

This section provides an overview of TCP normalization. The VFW application uses this feature to protect itself and the data center from a variety of network-based attacks.

TCP normalization is a Layer 4 feature that consists of a series of checks that the VFW application performs at various stages of a flow, from initial connection setup to the closing of a connection. You can control many of the segment checks by configuring one or more advanced TCP connection settings. The VFW application uses these TCP connection settings to decide which checks to perform and whether to discard a TCP segment based on the results of the checks. The VFW application discards segments that appear to be abnormal or malformed.

This feature checks for segments that have invalid or suspect conditions (for example, a SYN sent to the client from the server or a SYNACK sent to the server from the client) and takes appropriate actions based on the configured parameter settings. The VFW application uses TCP normalization to block certain types of network attacks (for example, insertion attacks and evasion attacks). Insertion attacks devise a scheme so that the inspection module accepts a packet that the end system rejects. Evasion attacks devise a scheme such that the inspection module rejects a packet while the end system accepts it.

The VFW application always discards segments when the following conditions exist:

Bad segment checksum

Bad TCP header or payload length

Suspect TCP flags (for example, NULL, SYN/FIN, or FIN/URG)

To configure TCP normalization, you assemble various TCP commands into a parameter map. After you create the connection parameter map, you associate it with a multimatch policy map, and activate the traffic policy globally across all interfaces in the context using a service policy.

Information About IP Normalization

The VFW application uses IP normalization to protect itself and the data center from a variety of attacks. IP normalization is to Layer 3 what TCP normalization is to Layer 4.

In general, IP normalization performs a series of checks on IP packets, including:

General security checks

ICMP security checks

Fragmentation security checks

IP fragment reassembly

IP fragmentation if a packet exceeds the outbound maximum transmission unit (MTU)

If a packet fails one of these checks, the VFW application takes appropriate action (including discarding a packet) depending on the IP parameters that you configure.

To configure the type of service (ToS) for IP traffic, use the set ip tos command in a connection parameter map.

To configure interface-related IP normalization parameters, refer to the "TCP/IP Normalization and IP Reassembly Parameters Commands" module in Cisco IOS XR Virtual Firewall Command Reference:

How to Configure TCP/IP Normalization and Reassembly Parameters

Configuring TCP/IP Normalization and Termination

Configuring IP Fragment Reassembly Parameters

Displaying Configurations and Statistics for TCP/IP and UDP Connections and IP Reassembly

Clearing Connections and Statistics

Configuring TCP/IP Normalization and Termination

This task provides the steps required to configure TCP Normalization.

Prerequisites

You must attach from the route processor to the VFW application before you can perform this task. See the "Attaching to the VFW Application" section on page VFC-14.

SUMMARY STEPS

1. changeto context_name

2. configure

3. parameter-map type connection map_name

4. set timeout inactivity [seconds]

5. set ip tos number

6. exit

7. class-map match-any map_name

8. [line_number] match destination-address ip_address
[line_number] match port tcp eq port_number

9. exit

10. policy-map multi-match map_name

11. class map_name

12. exit

13. exit

14. interface interface_name

15. service-policy input policy_name

16. ip ttl minimum number

17. ip options clear

18. ip df allow

19. end

20. copy running-config startup-config

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

changeto context_name

Example:

firewall/Admin# changeto C1

firewall/C1#

Logs into the correct context. If you are operating in multiple contexts, observe the CLI prompt to verify that you are operating in the desired context.

Note For details on creating contexts, see Configuring Virtualization on the Virtual Firewall.

Step 2 

configure

Example:

firewall/Admin# configure

Enter configuration commands, one per line. End with CNTL/Z.

firewall/Admin(config)#

Enters global configuration mode. You are now within configuration mode of the VFW application.

Step 3 

parameter-map type connection map_name

Example: 
firewall/C1(config)# parameter-map type 
connection TCPIP_PARAM_MAP

firewall/C1(config-parammap-conn)#

Creates a connection parameter map to group together TCP/IP normalization and termination parameters.

Step 4 

set timeout inactivity [seconds]

Example: 
firewall/C1(config-parammap-conn)# set timeout 
inactivity 2400

Configures the TCP/IP normalization inactivity timer. The seconds argument specifies the time period after which the VFW application disconnects idle established connections, and can be an integer from 0 to 4294967294 seconds. The defaults are:

ICMP—2 seconds

TCP—3600 seconds (1 hour)

UDP—120 seconds (2 minutes)

A value of 0 specifies that the VFW application never times out a TCP connection. The VFW application rounds up the value you enter to the nearest 30-second interval.

Step 5 

set ip tos number

Example: 
firewall/C1(config-parammap-conn)# set ip tos 
20

Configures the type of service (TOS) for packets in a particular traffic class. The number argument can be an integer from 0 to 255.

Step 6 

exit

Example:

firewall/C1(config-parammap-conn)# exit

firewall/C1(config)#

Exits TCP/IP normalization configuration mode.

Step 7 

class-map match-any map_name

Example: 
firewall/C1(config)# class-map match-all 
TCP_CLASS

firewall/C1(config-cmap)#

Creates a Layer 3 and Layer 4 class map to classify network traffic passing through the VFW application.

Step 8 

[line_number] match destination-address ip_address

[line_number] match port tcp eq port_number

Example: 
firewall/C1(config-cmap)# match 
destination-address 172.27.16.7

firewall/C1(config-cmap)# match port tcp eq 21

Specifies one or more match commands as part of the Layer 3 and Layer 4 class map. Refer to the "Class Map Commands on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Command Reference for more information on available match commands.

Step 9 

exit

Example:

firewall/C1(config-cmap)# exit

firewall/C1(config)#

Exits class map configuration mode.

Step 10 

policy-map multi-match map_name

Example: 
firewall/C1(config)# policy-map multi-match 
TCPIP_POLICY

Creates and configures a Layer 3 and Layer 4 policy map.

Step 11 

class map_name

Example: 
firewall/C1(config-pmap)# class TCP_CLASS

Associates a class map defined in Step 7 with the Layer 3 and Layer 4 policy map.

Step 12 

exit

Example:

firewall/C1(config-pmap-c)# exit

firewall/C1(config-pmap)#

Exits class map configuration mode.

Step 13 

exit

Example:

firewall/C1(config-pmap)# exit

firewall/C1(config)#

Exits policy map configuration mode.

Step 14 

interface interface_name

Example: 
firewall/C1(config)# interface inside1

Enters interface configuration mode for an interface.

Step 15 

service-policy input policy_name

Example: 
firewall/C1(config-if)# service-policy input 
TCPIP_POLICY

Applies the policy map globally across all interfaces in the context using a service policy.

Step 16 

ip ttl minimum number

Example: 
firewall/C1(config-if)# ip ttl 15

Specifies the number of hops that a packet is allowed to reach its destination. Each router along the packet's path decrements the TTL by one. If the packet's TTL reaches zero before the packet reaches its destination, the packet is discarded.

Step 17 

ip options clear

Example: 
firewall/C1(config-if)# ip options clear

Clears all IP options from the packet and allows the packet.

Step 18 

ip df allow

Example: 
firewall/C1(config-if)# ip df allow

Permits the packet with the DF bit set. If the packet is larger than the next-hop MTU, the VFW application discards the packet and sends an ICMP unreachable message to the source host.

Step 19 

end

Example:

firewall/C1(config-if)# end

firewall/C1#

Exits interface configuration mode.

Step 20 

copy running-config startup-config

Example:

firewall/C1# copy running-config startup-config

(Optional) Saves your configuration changes to flash memory.

Troubleshooting Tip

Use the following show commands to display TCP/IP normalization configuration information:

show running-config policy-map

show running-config parameter-map

show running-config interface

show service-policy name

Configuring IP Fragment Reassembly Parameters

You can configure several parameters that control how the VFW application performs IP fragment reassembly. This task describes the steps required to configure IP fragment reassembly.

Prerequisites

You must attach from the route processor to the VFW application before you can perform this task. See the "Attaching to the VFW Application" section on page VFC-14.

SUMMARY STEPS

1. changeto context_name

2. configure

3. interface interface_name

4. fragment chain number

5. fragment min-mtu number

6. fragment timeout seconds

7. end

8. copy running-config startup-config

9. show interface interface_name

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

changeto context_name

Example:

firewall/Admin# changeto C1

firewall/C1#

Logs into the correct context. If you are operating in multiple contexts, observe the CLI prompt to verify that you are operating in the desired context.

Note For details on creating contexts, see Configuring Virtualization on the Virtual Firewall.

Step 2 

configure

Example:

firewall/Admin# configure

Enter configuration commands, one per line. End with CNTL/Z.

firewall/Admin(config)#

Enters global configuration mode. You are now within configuration mode of the VFW application.

Step 3 

interface interface_name

Example: 
firewall/C1(config)# interface inside1

Enters interface configuration mode for the interface on which you want to configure fragment reassembly parameters.

Step 4 

fragment chain number

Example: 
firewall/C1(config-if)# fragment chain 126

Configures the maximum number of fragments belonging to the same packet that the VFW application accepts for reassembly. For the number argument, enter a fragment chain limit as an integer from 1 to 256 fragments. The default is 24 fragments.

Step 5 

fragment min-mtu number

Example: 
firewall/C1(config-if)# fragment min-mtu 1024

Configures the minimum fragment size that the VFW application will accept for reassembly. For the number argument, enter the minimum fragment size as an integer from 68 to 9216 bytes. The default is 576 bytes.

Step 6 

fragment timeout seconds

Example: 
firewall/C1(config-if)# fragment timeout 15

Configures a fragment reassembly timeout to specify he period of time after which the VFW application abandons the fragment reassembly process if it does not receive any outstanding fragments for the current fragment chain (fragments belonging to the same packet). For the seconds argument enter an integer from to 1 to 30 seconds. The default is 5 seconds.

Step 7 

end

Example:

firewall/C1(config-if)# end

firewall/C1#

Exits interface configuration mode.

Step 8 

copy running-config startup-config

Example:

firewall/C1# copy running-config startup-config

(Optional) Saves your configuration changes to flash memory.

Step 9 

show interface interface_name

Example:

firewall/C1# show interface inside1

(Optional) Displays IP fragment reassembly configuration information.

Displaying Configurations and Statistics for TCP/IP and UDP Connections and IP Reassembly

This task describes the show commands that you can use to display configurations and statistics for:

TCP connections parameters

IP connections parameters

UDP connection parameters

IP fragment reassembly

Prerequisites

You must attach from the route processor to the VFW application before you can perform this task. See the "Attaching to the VFW Application" section on page VFC-14.

SUMMARY STEPS

1. show running-config class-map

2. show running-config policy-map

3. show running-config interface

4. show conn {address ip_address1 [ip_address2] netmask mask} | count | detail | {port number1 [number2]} | {protocol {tcp | udp}}

5. show stats connection

6. show ip traffic

7. show fragment [interface_name]

8. show tcp statistics

9. show udp statistics

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

show running-config class-map

Example: 
firewall/C1# show running-config class-map

(Optional) Displays all traffic classifications configured in the current context, including match statements for IP addresses and TCP or UDP ports.

Step 2 

show running-config policy-map

Example: 
firewall/C1# show running-config policy-map

(Optional) Displays all policy maps configured in the current context, including the associated class maps.

Step 3 

show running-config interface

Example: 
firewall/C1# show running-config interface

(Optional) Displays all interface configurations in the current context.

Step 4 

show conn {address ip_address1 [ip_address2] netmask mask} | count | detail | {port number1 [number2]} | {protocol {tcp | udp}}

Example: 
firewall/C1# show conn address 192.168.12.15 
192.168.12.35 netmask 255.255.255.0

(Optional) Displays TCP/IP and UDP connection statistics. The keywords, arguments, and options are:

address ip_address1 [ip_address2]—Displays connection statistics for a single source or destination IP address or, optionally, for a range of source or destination IP addresses. To specify a range of IP addresses, enter an IP address for the lower limit of the range and a second IP address for the upper limit of the range.

count—Displays the total curent connections to the VFW application.

detail—Displays detailed connection information.

netmask mask—Network mask for the IP address or range of IP addresses you specify.

port number1 [number2]—Displays connection statistics for a single source or destination port or, optionally, for a range of source or destination ports.

protocol {tcp | udp}—Displays connection statistics for TCP or UDP.

Step 5 

show stats connection

Example: 
firewall/C1# show stats connection

(Optional) Displays global connection statistics for the current context.

Step 6 

show ip traffic

Example: 
firewall/C1# show ip traffic

(Optional) Displays IP traffic information. Aside from fragmentation, reassembly, and ARP statistics, this command displays statistics for traffic destined to the VFW application, rather than through the VFW application.

Step 7 

show fragment [interface_name]

Example: 
firewall/C1# show fragment

(Optional) Displays IP fragmentation and reassembly statistics for all interfaces in the VFW application or the specified interface.

If you omit the interface_name argument, statistics are displayed for all interfaces in the VFW application.

Step 8 

show tcp statistics

Example: 
firewall/C1# show tcp statistics

(Optional) Displays TCP statistics. This command displays statistics for traffic destined to the VFW application, rather than through the VFW application.

Step 9 

show udp statistics

Example: 
firewall/C1# show udp statistics

(Optional) Displays UDP statistics. This command displays statistics for traffic destined to the VFW application, rather than through the VFW application.

Clearing Connections and Statistics

This task demonstrates how to clear the various connections and restart the statistics counters.

Prerequisites

You must attach from the route processor to the VFW application before you can perform this task. See the "Attaching to the VFW Application" section on page VFC-14.

SUMMARY STEPS

1. clear ip statistics

2. clear tcp statistics

3. clear udp statistics

4. clear conn [all | flow {icmp | tcp | udp}]

5. clear interface [interface_name]

6. clear stats conn

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

clear ip statistics

Example:

firewall/C1# clear ip statistics

(Optional) Clears IP statistics. This command clears all statistics associated with IP normalization, fragmentation, and reassembly in the current context.

Note If you configured redundancy, then you need to explicitly clear IP statistics on both the active and the standby VFWs. Clearing statistics on the active module alone leaves the standby module's statistics at the old values.

Step 2 

clear tcp statistics

Example:

firewall/C1# clear tcp statistics

(Optional) Clears TCP statistics. This command clears all statistics associated with TCP connections and normalization in the current context.

Note If you configured redundancy, then you need to explicitly clear TCP statistics on both the active and the standby VFWs. Clearing statistics on the active module alone leaves the standby module's statistics at the old values.

Step 3 

clear udp statistics

Example:

firewall/C1# clear udp statistics

(Optional) Clears UDP statistics. This command clears all statistics associated with UDP connections in the current context.

Note If you configured redundancy, then you need to explicitly clear UDP statistics on both the active and the standby VFWs. Clearing statistics on the active module alone will leave the standby module's statistics at the old values.

Step 4 

clear conn [all | flow {icmp | tcp | udp}]

Example:

firewall/C1# clear conn flow tcp

(Optional) Clears ICMP, TCP, and UDP connections.

Step 5 

clear interface [interface_name]

Example:

firewall/C1# clear interface

(Optional) Clears IP fragmentation and reassembly statistics. If you omit the interface_name argument, you can clear fragmentation and reassembly statistics for all interfaces in the context.

Note If redundancy is configured, you must explicitly clear IP fragmentation and reassembly statistics on both the active and the standby VFWs. If statistics are cleared only on the active module, the statistics on the standby module retain the old values.

Step 6 

clear stats conn

Example:

firewall/C1# clear stats conn

(Optional) Clears all connection statistics in the current context.

Additional References

The following sections provide references related to TCP/IP normalization and IP reassembly.

Related Documents

Related Topic
Document Title

Virtual firewall normalization command syntax

"TCP/IP Normalization and IP Reassembly Parameters Commands on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Command Reference


Standards

Standards
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.


MIBs

MIBs
MIBs Link

To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml


RFCs

RFCs
Title

No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.


Technical Assistance

Description
Link

The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/techsupport