Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 3.1 - Preventing Network Attacks [Cisco Services Modules]

Table Of Contents

Preventing Network Attacks

Configuring Connection Limits and Timeouts

Configuring Connection Limits and Timeouts

Preventing IP Spoofing

Configuring the Fragment Size

Blocking Unwanted Connections

Preventing Network Attacks

This chapter describes how to prevent network attacks and includes the following sections:

•Configuring Connection Limits and Timeouts

•Preventing IP Spoofing

•Configuring the Fragment Size

•Blocking Unwanted Connections

Configuring Connection Limits and Timeouts

This section describes how to set maximum TCP and UDP connections, connection timeouts, and how to disable TCP sequence randomization.

Each TCP connection has two ISNs: one generated by the client and one generated by the server. The FWSM randomizes the ISN of the TCP SYN passing in both the inbound and outbound directions.

Randomizing the ISN of the protected host prevents an attacker from predecting the next ISN for a new connection and potentially hijacking the new session.

TCP initial sequence number randomization can be disabled if required. For example:

•If another in-line firewall is also randomizing the initial sequence numbers, there is no need for both firewalls to be performing this action, even though this action does not affect the traffic.

•If you use eBGP multi-hop through the FWSM, and the eBGP peers are using MD5. Randomization breaks the MD5 checksum.

•You use a WAAS device that requires the FWSM not to randomize the sequence numbers of connections.

Note You can also configure maximum connections and TCP sequence randomization in the NAT configuration. If you configure these settings for the same traffic using both methods, then the FWSM uses the lower limit. For TCP sequence randomization, if it is disabled using either method, then the FWSM disables TCP sequence randomization.

NAT also lets you configure embryonic connection limits, which triggers TCP Intercept to prevent a DoS attack. To configure connection limits, TCP randomization, and embryonic limits, see "Configuring Connection Limits for Transparent Firewall Mode and Non-NAT Configurations" section on page 7-5 and Chapter 12, "Configuring NAT."

To set connection limits and timeouts, perform the following steps:

Step 1 To identify the traffic, add a class map using the class-map command. See the "Identifying Traffic Using a Class Map" section on page 18-2 for more information.

For example, you can match all traffic using the following commands:
hostname(config)# class-map CONNS
hostname(config-cmap)# match any
To match specific traffic, you can match an access list:
hostname(config)# access list CONNS extended permit ip any 10.1.1.1 255.255.255.255
hostname(config)# class-map CONNS
hostname(config-cmap)# match access-list CONNS
Step 2 To add or edit a policy map that sets the actions to take with the class map traffic, enter the following commands:
hostname(config)# policy-map name
hostname(config-pmap)# class class_map_name
hostname(config-pmap-c)#
where the class_map_name is the class map from Step 1.

For example:
hostname(config)# policy-map CONNS
hostname(config-pmap)# class CONNS
hostname(config-pmap-c)#
Step 3 To set maximum connection limits or whether TCP sequence randomization is enabled, enter the following command:
hostname(config-pmap-c)# set connection {[conn-max n] [random-sequence-number {enable | 
disable}]}
where the conn-max n argument sets the maximum number of simultaneous TCP and/or UDP connections that are allowed, between 0 and 65535. The default is 0, which allows unlimited connections.

The random-sequence-number {enable | disable} keyword enables or disables TCP sequence number randomization.

You can enter this command all on one line (in any order), or you can enter each attribute as a separate command. The FWSM combines the command into one line in the running configuration.

Step 4 To set connection timeouts, enter the following command:
hostname(config-pmap-c)# set connection timeout {[embryonic hh:mm:ss] [half-closed 
hh:mm:ss] [tcp hh:mm:ss [reset]]}
where the embryonic hh:mm:ss keyword sets the timeout period until a TCP embryonic (half-open) connection is closed, between 0:0:1 and 0:4:15. The default is 0:0:20. You can also set this value to 0, which means the connection never times out.

The half-closed hh:mm:ss keyword sets the idle timeout between 0:0:1 and 0:4:15. The default is 0:0:20. You can also set this value to 0, which means the connection never times out. The FWSM does not send a reset when taking down half-closed connections.

The tcp hh:mm:ss keyword sets the idle timeout between 0:5:0 and 1092:15:0. The default is 0:60:0 . You can also set this value to 0, which means the connection never times out. The reset keyword sends a reset to TCP endpoints when the connection times out. The FWSM sends the reset packet only in response to a host sending another packet for the timed-out flow (on the same source and destination port). The host then removes the connection from its connection table after receiving the reset packet. The host application can then attempt to establish a new connection using a SYN packet.

You can enter this command all on one line (in any order), or you can enter each attribute as a separate command. The command is combined onto one line in the running configuration.

Step 5 To activate the policy map on one or more interfaces, enter the following command:
hostname(config)# service-policy policymap_name {global | interface interface_name}
where policy_map_name is the policy map you configured in Step 2. To apply the policy map to traffic on all the interfaces, use the global keyword. To apply the policy map to traffic on a specific interface, use the interface interface_name option, where interface_name is the name assigned to the interface with the nameif command.

Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface.

The following example sets the maximum TCP and UDP connections to 5000, and sets the maximum embryonic timeout to 40 seconds, the half-closed timeout to 20 minutes, and the TCP timeout to 2 hours for traffic going to 10.1.1.1:
hostname(config)# access-list CONNS permit ip any host 10.1.1.1
hostname(config)# class-map conns
hostname(config-cmap)# match access-list CONNS
hostname(config-cmap)# policy-map conns
hostname(config-pmap)# class conns
hostname(config-pmap-c)# set connection conn-max 5000
hostname(config-pmap-c)# set connection timeout embryonic 0:0:40 half-closed 0:20:0 tcp 
2:0:0
hostname(config-pmap-c)# service-policy conns interface outside
You can enter set connection commands with multiple parameters or you can enter each parameter as a separate command. The FWSM combines the commands into one line in the running configuration. For example, if you entered the following two commands in class configuration mode:
hostname(config-pmap-c)# set connection timeout embryonic 0:0:40
hostname(config-pmap-c)# set connection timeout half-closed 0:20:0
the output of the show running-config policy-map command would display the result of the two commands in a single, combined command:
set connection timeout embryonic 0:0:40 half-closed 0:20:0
Configuring Connection Limits and Timeouts

This section describes how to set maximum TCP and UDP connections, how to set connection timeouts, and how to disable TCP sequence randomization.

TCP initial sequence number randomization can be disabled if another in-line firewall is also randomizing the initial sequence numbers, because there is no need for both firewalls to be performing this action. However, leaving ISN randomization enabled on both firewalls does not affect the traffic.

Each TCP connection has two ISNs: one generated by the client and one generated by the server. The security appliance randomizes the ISN of the TCP SYN passing in the outbound direction. If the connection is between two interfaces with the same security level, then the ISN will be randomized in the SYN in both directions.

Randomizing the ISN of the protected host prevents an attacker from predecting the next ISN for a new connection and potentially hijacking the new session.

Note You can also configure maximum connections and TCP sequence randomization in the NAT configuration. If you configure these settings for the same traffic using both methods, then the FWSM uses the lower limit. For TCP sequence randomization, if it is disabled using either method, then the FWSM disables TCP sequence randomization.

NAT also lets you configure embryonic connection limits, which triggers TCP Intercept to prevent a DoS attack. To configure connection limits, TCP randomization, and embryonic limits, see the "Configuring Connection Limits for Transparent Firewall Mode and Non-NAT Configurations" section on page 7-5 and Chapter 12, "Configuring NAT."

To set connection limits, perform the following steps:

Step 1 To identify the traffic, add a class map using the class-map command. See the "Identifying Traffic Using a Class Map" section on page 18-2 for more information.

Step 2 To add or edit a policy map that sets the actions to take with the class map traffic, enter the following command:
hostname(config)# policy-map name
Step 3 To identify the class map from Step 1 to which you want to assign an action, enter the following command:
hostname(config-pmap)# class class_map_name
Step 4 To set the maximum connections (both TCP and UDP), or to enable or disable TCP sequence randomization, enter the following command:
hostname(config-pmap-c)# set connection {[conn-max number] [random-sequence-number 
{enable | disable}]}
Where number is an integer between 0 and 65535. The default is 0, which means no limit on connections.

You can enter this command all on one line (in any order), or you can enter each attribute as a separate command. The command is combined onto one line in the running configuration.

Step 5 To set the timeout for connections, embryonic connections (half-opened), and half-closed connections, enter the following command:
hostname(config-pmap-c)# set connection timeout {[embryonic seconds] [half-closed minutes] 
[tcp minutes]}
Where embryonic seconds is a time between 1 and 255, in seconds. The default is 20 seconds. You can also set the value to 0, which means the connection never times out. Although you cannot set the maximum embryonic connections using the set connection command, you can set the timeout.

Where the half-closed minutes is between 1 and 255, in minutes. The default is 10 minutes. You can also set the value to 0, which means the connection never times out.

The tcp minutes is between 5 and 65535, in minutes. The default is 60 minutes. You can also set the value to 0, which means the connection never times out.

You can enter this command all on one line (in any order), or you can enter each attribute as a separate command. The command is combined onto one line in the running configuration.

Step 6 To activate the policy map on one or more interfaces, enter the following command:
hostname(config)# service-policy policymap_name {global | interface interface_name}
Where global applies the policy map to all interfaces, and interface applies the policy to one interface. Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface.

Preventing IP Spoofing

This section lets you enable Unicast Reverse Path Forwarding on an interface. Unicast RPF guards against IP spoofing (a packet uses an incorrect source IP address to obscure its true source) by ensuring that all packets have a source IP address that matches the correct source interface according to the routing table.

Normally, the FWSM only looks at the destination address when determining where to forward the packet. Unicast RPF instructs the FWSM to also look at the source address; this is why it is called Reverse Path Forwarding. For any traffic that you want to allow through the FWSM, the FWSM routing table must include a route back to the source address. See RFC 2267 for more information.

For outside traffic, for example, the FWSM can use the default route to satisfy the Unicast RPF protection. If traffic enters from an outside interface, and the source address is not known to the routing table, the FWSM uses the default route to correctly identify the outside interface as the source interface.

If traffic enters the outside interface from an address that is known to the routing table, but is associated with the inside interface, then the FWSM drops the packet. Similarly, if traffic enters the inside interface from an unknown source address, the FWSM drops the packet because the matching route (the default route) indicates the outside interface.

Unicast RPF is implemented as follows:

•ICMP packets have no session, so each packet is checked.

•UDP and TCP have sessions, so the initial packet requires a reverse route lookup. Subsequent packets arriving during the session are checked using an existing state maintained as part of the session. Non-initial packets are checked to ensure they arrived on the same interface used by the initial packet.

To enable Unicast RPF, enter the following command:
hostname(config)# ip verify reverse-path interface interface_name
Configuring the Fragment Size

By default, the FWSM allows up to 24 fragments per IP packet, and up to 200 fragments awaiting reassembly. You might need to let fragments on your network if you have an application that routinely fragments packets, such as NFS over UDP. However, if you do not have an application that fragments traffic, we recommend that you do not allow fragments through the FWSM. Fragmented packets are often used as DoS attacks. To set disallow fragments, enter the following command:
hostname(config)# fragment chain 1 [interface_name]
Enter an interface name if you want to prevent fragmentation on a specific interface. By default, this command applies to all interfaces.

Blocking Unwanted Connections

If you know that a host is attempting to attack your network (for example, system log messages show an attack), then you can block (or shun) connections based on the source IP address and other identifying parameters. No new connections can be made until you remove the shun.

Note If you have an IPS that monitors traffic, then the IPS can shun connections automatically.

To shun a connection manually, perform the following steps:

Step 1 If necessary, view information about the connection by entering the following command:
hostname# show conn
The FWSM shows information about each connection, such as the following:
TCP out 64.101.68.161:4300 in 10.86.194.60:23 idle 0:00:00 bytes 1297 flags UIO
Step 2 To shun connections from the source IP address, enter the following command:
hostname(config)# shun src_ip [dst_ip src_port dest_port [protocol]] [vlan vlan_id]
This command drops the existing connection and blocks future connections. By default, the protocol is 0 for IP.

For multiple context mode, you can enter this command in the admin context, and by specifying a VLAN ID that is assigned to an interface in other contexts, you can shun the connection in other contexts.

Step 3 To remove the shun, enter the following command:
hostname(config)# no shun src_ip [vlan vlan_id]

	Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 3.1
	Preventing Network Attacks
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 3.1 About This Guide Quick Start Steps Introduction to the Firewall Services Module Configuring the Switch for the Firewall Services Module Getting Started Managing Security Contexts Configuring the Firewall Mode Configuring Interface Parameters Configuring Basic Settings Configuring IP Routing and DHCP Services Configuring IPv6 Identifying Traffic with Access Lists Permitting and Denying Network Access Configuring NAT Configuring Failover Configuring AAA Servers and the Local Database Applying AAA for Network Access Applying Filtering Services Configuring ARP Inspection and Bridging Parameters Using Modular Policy Framework Preventing Network Attacks Applying Application Layer Protocol Inspection Configuring Management Access Managing Software, Licenses, and Configurations Monitoring the Firewall Services Module Troubleshooting the Firewall Services Module Specifications Sample Configurations Using the Command-Line Interface Addresses, Protocols, and Ports Open Source License Acknowledgements Glossary Index	Download this chapter Preventing Network Attacks Download the complete book Book-Level PDF: Firewall Services Module Configuration Guide, 3.1 (PDF - 9 MB) Table Of Contents Preventing Network Attacks Configuring Connection Limits and Timeouts Configuring Connection Limits and Timeouts Preventing IP Spoofing Configuring the Fragment Size Blocking Unwanted Connections Preventing Network Attacks This chapter describes how to prevent network attacks and includes the following sections: •Configuring Connection Limits and Timeouts •Preventing IP Spoofing •Configuring the Fragment Size •Blocking Unwanted Connections Configuring Connection Limits and Timeouts This section describes how to set maximum TCP and UDP connections, connection timeouts, and how to disable TCP sequence randomization. Each TCP connection has two ISNs: one generated by the client and one generated by the server. The FWSM randomizes the ISN of the TCP SYN passing in both the inbound and outbound directions. Randomizing the ISN of the protected host prevents an attacker from predecting the next ISN for a new connection and potentially hijacking the new session. TCP initial sequence number randomization can be disabled if required. For example: •If another in-line firewall is also randomizing the initial sequence numbers, there is no need for both firewalls to be performing this action, even though this action does not affect the traffic. •If you use eBGP multi-hop through the FWSM, and the eBGP peers are using MD5. Randomization breaks the MD5 checksum. •You use a WAAS device that requires the FWSM not to randomize the sequence numbers of connections. Note You can also configure maximum connections and TCP sequence randomization in the NAT configuration. If you configure these settings for the same traffic using both methods, then the FWSM uses the lower limit. For TCP sequence randomization, if it is disabled using either method, then the FWSM disables TCP sequence randomization. NAT also lets you configure embryonic connection limits, which triggers TCP Intercept to prevent a DoS attack. To configure connection limits, TCP randomization, and embryonic limits, see "Configuring Connection Limits for Transparent Firewall Mode and Non-NAT Configurations" section on page 7-5 and Chapter 12, "Configuring NAT." To set connection limits and timeouts, perform the following steps: Step 1 To identify the traffic, add a class map using the class-map command. See the "Identifying Traffic Using a Class Map" section on page 18-2 for more information. For example, you can match all traffic using the following commands: hostname(config)# class-map CONNS hostname(config-cmap)# match any To match specific traffic, you can match an access list: hostname(config)# access list CONNS extended permit ip any 10.1.1.1 255.255.255.255 hostname(config)# class-map CONNS hostname(config-cmap)# match access-list CONNS Step 2 To add or edit a policy map that sets the actions to take with the class map traffic, enter the following commands: hostname(config)# policy-map name hostname(config-pmap)# class class_map_name hostname(config-pmap-c)# where the class_map_name is the class map from Step 1. For example: hostname(config)# policy-map CONNS hostname(config-pmap)# class CONNS hostname(config-pmap-c)# Step 3 To set maximum connection limits or whether TCP sequence randomization is enabled, enter the following command: hostname(config-pmap-c)# set connection {[conn-max n] [random-sequence-number {enable \| disable}]} where the conn-max n argument sets the maximum number of simultaneous TCP and/or UDP connections that are allowed, between 0 and 65535. The default is 0, which allows unlimited connections. The random-sequence-number {enable \| disable} keyword enables or disables TCP sequence number randomization. You can enter this command all on one line (in any order), or you can enter each attribute as a separate command. The FWSM combines the command into one line in the running configuration. Step 4 To set connection timeouts, enter the following command: hostname(config-pmap-c)# set connection timeout {[embryonic hh:mm:ss] [half-closed hh:mm:ss] [tcp hh:mm:ss [reset]]} where the embryonic hh:mm:ss keyword sets the timeout period until a TCP embryonic (half-open) connection is closed, between 0:0:1 and 0:4:15. The default is 0:0:20. You can also set this value to 0, which means the connection never times out. The half-closed hh:mm:ss keyword sets the idle timeout between 0:0:1 and 0:4:15. The default is 0:0:20. You can also set this value to 0, which means the connection never times out. The FWSM does not send a reset when taking down half-closed connections. The tcp hh:mm:ss keyword sets the idle timeout between 0:5:0 and 1092:15:0. The default is 0:60:0 . You can also set this value to 0, which means the connection never times out. The reset keyword sends a reset to TCP endpoints when the connection times out. The FWSM sends the reset packet only in response to a host sending another packet for the timed-out flow (on the same source and destination port). The host then removes the connection from its connection table after receiving the reset packet. The host application can then attempt to establish a new connection using a SYN packet. You can enter this command all on one line (in any order), or you can enter each attribute as a separate command. The command is combined onto one line in the running configuration. Step 5 To activate the policy map on one or more interfaces, enter the following command: hostname(config)# service-policy policymap_name {global \| interface interface_name} where policy_map_name is the policy map you configured in Step 2. To apply the policy map to traffic on all the interfaces, use the global keyword. To apply the policy map to traffic on a specific interface, use the interface interface_name option, where interface_name is the name assigned to the interface with the nameif command. Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. The following example sets the maximum TCP and UDP connections to 5000, and sets the maximum embryonic timeout to 40 seconds, the half-closed timeout to 20 minutes, and the TCP timeout to 2 hours for traffic going to 10.1.1.1: hostname(config)# access-list CONNS permit ip any host 10.1.1.1 hostname(config)# class-map conns hostname(config-cmap)# match access-list CONNS hostname(config-cmap)# policy-map conns hostname(config-pmap)# class conns hostname(config-pmap-c)# set connection conn-max 5000 hostname(config-pmap-c)# set connection timeout embryonic 0:0:40 half-closed 0:20:0 tcp 2:0:0 hostname(config-pmap-c)# service-policy conns interface outside You can enter set connection commands with multiple parameters or you can enter each parameter as a separate command. The FWSM combines the commands into one line in the running configuration. For example, if you entered the following two commands in class configuration mode: hostname(config-pmap-c)# set connection timeout embryonic 0:0:40 hostname(config-pmap-c)# set connection timeout half-closed 0:20:0 the output of the show running-config policy-map command would display the result of the two commands in a single, combined command: set connection timeout embryonic 0:0:40 half-closed 0:20:0 Configuring Connection Limits and Timeouts This section describes how to set maximum TCP and UDP connections, how to set connection timeouts, and how to disable TCP sequence randomization. TCP initial sequence number randomization can be disabled if another in-line firewall is also randomizing the initial sequence numbers, because there is no need for both firewalls to be performing this action. However, leaving ISN randomization enabled on both firewalls does not affect the traffic. Each TCP connection has two ISNs: one generated by the client and one generated by the server. The security appliance randomizes the ISN of the TCP SYN passing in the outbound direction. If the connection is between two interfaces with the same security level, then the ISN will be randomized in the SYN in both directions. Randomizing the ISN of the protected host prevents an attacker from predecting the next ISN for a new connection and potentially hijacking the new session. Note You can also configure maximum connections and TCP sequence randomization in the NAT configuration. If you configure these settings for the same traffic using both methods, then the FWSM uses the lower limit. For TCP sequence randomization, if it is disabled using either method, then the FWSM disables TCP sequence randomization. NAT also lets you configure embryonic connection limits, which triggers TCP Intercept to prevent a DoS attack. To configure connection limits, TCP randomization, and embryonic limits, see the "Configuring Connection Limits for Transparent Firewall Mode and Non-NAT Configurations" section on page 7-5 and Chapter 12, "Configuring NAT." To set connection limits, perform the following steps: Step 1 To identify the traffic, add a class map using the class-map command. See the "Identifying Traffic Using a Class Map" section on page 18-2 for more information. Step 2 To add or edit a policy map that sets the actions to take with the class map traffic, enter the following command: hostname(config)# policy-map name Step 3 To identify the class map from Step 1 to which you want to assign an action, enter the following command: hostname(config-pmap)# class class_map_name Step 4 To set the maximum connections (both TCP and UDP), or to enable or disable TCP sequence randomization, enter the following command: hostname(config-pmap-c)# set connection {[conn-max number] [random-sequence-number {enable \| disable}]} Where number is an integer between 0 and 65535. The default is 0, which means no limit on connections. You can enter this command all on one line (in any order), or you can enter each attribute as a separate command. The command is combined onto one line in the running configuration. Step 5 To set the timeout for connections, embryonic connections (half-opened), and half-closed connections, enter the following command: hostname(config-pmap-c)# set connection timeout {[embryonic seconds] [half-closed minutes] [tcp minutes]} Where embryonic seconds is a time between 1 and 255, in seconds. The default is 20 seconds. You can also set the value to 0, which means the connection never times out. Although you cannot set the maximum embryonic connections using the set connection command, you can set the timeout. Where the half-closed minutes is between 1 and 255, in minutes. The default is 10 minutes. You can also set the value to 0, which means the connection never times out. The tcp minutes is between 5 and 65535, in minutes. The default is 60 minutes. You can also set the value to 0, which means the connection never times out. You can enter this command all on one line (in any order), or you can enter each attribute as a separate command. The command is combined onto one line in the running configuration. Step 6 To activate the policy map on one or more interfaces, enter the following command: hostname(config)# service-policy policymap_name {global \| interface interface_name} Where global applies the policy map to all interfaces, and interface applies the policy to one interface. Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. Preventing IP Spoofing This section lets you enable Unicast Reverse Path Forwarding on an interface. Unicast RPF guards against IP spoofing (a packet uses an incorrect source IP address to obscure its true source) by ensuring that all packets have a source IP address that matches the correct source interface according to the routing table. Normally, the FWSM only looks at the destination address when determining where to forward the packet. Unicast RPF instructs the FWSM to also look at the source address; this is why it is called Reverse Path Forwarding. For any traffic that you want to allow through the FWSM, the FWSM routing table must include a route back to the source address. See RFC 2267 for more information. For outside traffic, for example, the FWSM can use the default route to satisfy the Unicast RPF protection. If traffic enters from an outside interface, and the source address is not known to the routing table, the FWSM uses the default route to correctly identify the outside interface as the source interface. If traffic enters the outside interface from an address that is known to the routing table, but is associated with the inside interface, then the FWSM drops the packet. Similarly, if traffic enters the inside interface from an unknown source address, the FWSM drops the packet because the matching route (the default route) indicates the outside interface. Unicast RPF is implemented as follows: •ICMP packets have no session, so each packet is checked. •UDP and TCP have sessions, so the initial packet requires a reverse route lookup. Subsequent packets arriving during the session are checked using an existing state maintained as part of the session. Non-initial packets are checked to ensure they arrived on the same interface used by the initial packet. To enable Unicast RPF, enter the following command: hostname(config)# ip verify reverse-path interface interface_name Configuring the Fragment Size By default, the FWSM allows up to 24 fragments per IP packet, and up to 200 fragments awaiting reassembly. You might need to let fragments on your network if you have an application that routinely fragments packets, such as NFS over UDP. However, if you do not have an application that fragments traffic, we recommend that you do not allow fragments through the FWSM. Fragmented packets are often used as DoS attacks. To set disallow fragments, enter the following command: hostname(config)# fragment chain 1 [interface_name] Enter an interface name if you want to prevent fragmentation on a specific interface. By default, this command applies to all interfaces. Blocking Unwanted Connections If you know that a host is attempting to attack your network (for example, system log messages show an attack), then you can block (or shun) connections based on the source IP address and other identifying parameters. No new connections can be made until you remove the shun. Note If you have an IPS that monitors traffic, then the IPS can shun connections automatically. To shun a connection manually, perform the following steps: Step 1 If necessary, view information about the connection by entering the following command: hostname# show conn The FWSM shows information about each connection, such as the following: TCP out 64.101.68.161:4300 in 10.86.194.60:23 idle 0:00:00 bytes 1297 flags UIO Step 2 To shun connections from the source IP address, enter the following command: hostname(config)# shun src_ip [dst_ip src_port dest_port [protocol]] [vlan vlan_id] This command drops the existing connection and blocks future connections. By default, the protocol is 0 for IP. For multiple context mode, you can enter this command in the admin context, and by specifying a VLAN ID that is assigned to an interface in other contexts, you can shun the connection in other contexts. Step 3 To remove the shun, enter the following command: hostname(config)# no shun src_ip [vlan vlan_id]
	© 1992-2008 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.