-
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 4.1
-
About This Guide
-
Quick Start Steps
-
Getting Started and General Information
-
Introduction to the Firewall Services Module
-
Configuring the Switch for the Firewall Services Module
-
Getting Started
-
Managing Security Contexts
-
Configuring the Firewall Mode
-
Configuring Interface Parameters
-
Configuring Basic Settings
-
Configuring IP Routing and DHCP Services
-
Configuring Multicast Routing
-
Configuring IPv6
-
Configuring AAA Servers and the Local Database
-
Configuring Certificates
-
Identifying Traffic with Access Lists
-
Configuring Failover
-
- Configuring the Security Policy
- System Administration
- Reference
-
Glossary
-
Index
-
Feedback
Table Of Contents
Common Uses for Security Contexts
How the FWSM Classifies Packets
Sharing Interfaces Between Contexts
NAT and Origination of Traffic
Management Access to Security Contexts
Enabling or Disabling Multiple Context Mode
Backing Up the Single Mode Configuration
Enabling Multiple Context Mode
Setting the Number of Memory Partitions
Changing the Memory Partition Size
Reallocating Rules Between Features for a Specific Memory Partition
Configuring Resource Management
Classes and Class Members Overview
Configuring a Security Context
Changing Between Contexts and the System Execution Space
Changing the Security Context URL
Reloading by Clearing the Configuration
Reloading by Removing and Readding the Context
Monitoring SYN Attacks in Contexts
Configuring Security Contexts
This chapter describes how to configure multiple security contexts, and includes the following sections:
•
Enabling or Disabling Multiple Context Mode
•
•
•
Security Context Overview
You can partition a single FWSM into multiple virtual devices, known as security contexts. Each context has its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. Many features are supported in multiple context mode, including routing tables, firewall features, and management. Some features are not supported, including most dynamic routing protocols.
This section provides an overview of security contexts, and includes the following topics:
•
•
•
•
Common Uses for Security Contexts
You might want to use multiple security contexts in the following situations:
•
•
•
•
Unsupported Features
Multiple context mode does not support the following features:
•
Security contexts support only static routes or BGP stub mode. You cannot enable OSPF or RIP in multiple context mode. You can, however, configure Route Health Injection, which lets you inject static, connected, and NAT addresses into the MSFC routing table. See the "Configuring Route Health Injection" section.
•
Context Configuration Files
This section describes how the FWSM implements multiple context mode configurations, and includes the following topics:
Context Configurations
The FWSM includes a configuration for each context that identifies the security policy, interfaces, and almost all the options you can configure on a standalone device. You can store context configurations on the internal flash memory or the external flash memory card, or you can download them from a TFTP, FTP, or HTTP(S) server.
System Configuration
The system administrator adds and manages contexts by configuring each context configuration location, allocated interfaces, and other context operating parameters in the system configuration, which, like a single mode configuration, is the startup configuration. The system configuration identifies basic settings for the FWSM. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context. The system configuration does include a specialized failover interface for failover traffic only.
Admin Context Configuration
The admin context is just like any other context, except that when a user logs in to the admin context, then that user has system administrator rights and can access the system and all other contexts. The admin context is not restricted in any way, and can be used as a regular context. However, because logging into the admin context grants you administrator privileges over all contexts, you might need to restrict access to the admin context to appropriate users. The admin context must reside on flash memory, and not remotely.
If your system is already in multiple context mode, or if you convert from single mode, the admin context is created automatically as a file on the internal flash memory called admin.cfg. This context is named "admin." If you do not want to use admin.cfg as the admin context, you can change the admin context.
How the FWSM Classifies Packets
Each packet that enters the FWSM must be classified, so that the FWSM can determine to which context to send a packet. The FWSM uses only one global MAC address across all interfaces. A single MAC address is usually not a problem unless multiple contexts want to share an interface. A router cannot direct packets to IP addresses on the same network if all IP addresses resolve to the same MAC address. Moreover, the bridging table of the switch would constantly change as the MAC address moves from one interface to another. The purpose of the security context classifier is to resolve this situation.
This section includes the following topics:
Valid Classifier Criteria
If only one context is associated with the ingress interface, the FWSM classifies the packet into that context. In transparent firewall mode, unique interfaces for contexts are required, so this method is used to classify packets at all times. The only exception in transparent mode is for a shared management VLAN; for management traffic destined for an interface, the interface IP address is used for classification.
If multiple contexts share an interface, then the classifier intercepts the packet and performs a destination IP address lookup. All other fields are ignored; only the destination IP address is used. To use the destination address for classification, the classifier must have knowledge about the subnets located behind each security context. The classifier relies on active NAT sessions to determine the subnets in each context. Active NAT sessions are created either by static commands, which create a permanent session, or by active dynamic NAT sessions.
For example, the classifier gains knowledge about subnets 10.10.10.0, 10.20.10.0 and 10.30.10.0 when the context administrators configure static commands in each context:
•
static (inside,shared) 10.10.10.0 10.10.10.0 netmask 255.255.255.0•
static (inside,shared) 10.20.10.0 10.20.10.0 netmask 255.255.255.0•
static (inside,shared) 10.30.10.0 10.30.10.0 netmask 255.255.255.0If you use dynamic NAT, an active NAT session is created when the real host creates a connection through the shared interface. For traffic returning to the host, the active NAT session is used to classify the packet.
To quickly identify possible overlaps between different contexts, a situation that leads to connectivity problems, enter the show np 3 static command in the system execution space.
Note
Invalid Classifier Criteria
The following configurations are not used for packet classification:
•
•
Classification Examples
Figure 4-1 shows multiple contexts sharing an outside interface, while the inside interfaces are unique, allowing overlapping IP addresses. The classifier assigns the packet to Context B because Context B includes the address translation that matches the destination address.
Figure 4-1 Packet Classification with a Shared Interface
Note that all new incoming traffic must be classified, even from inside networks. Figure 4-2 shows a host on the Context B inside network accessing the Internet. The classifier assigns the packet to Context B because the ingress interface is VLAN 300, which is assigned to Context B.
Figure 4-2 Incoming Traffic from Inside Networks
Figure 4-3 shows a transparent firewall with a host on the Context B inside network accessing the Internet. The classifier assigns the packet to Context B because the ingress interface is VLAN 300, which is assigned to Context B.
Figure 4-3 Transparent Firewall Contexts
Sharing Interfaces Between Contexts
The FWSM lets you share an interface between contexts. For transparent mode, you can only share a management-only VLAN; all through-traffic interfaces must be unique. For management traffic destined for an interface, the interface IP address is used for classification. For non-management-only VLANs in routed mode, packet classification requirements might make sharing interfaces impractical. Because the classifier relies on active NAT sessions to classify the destination addresses to a context, the classifier is limited by how you can configure NAT. If you do not want to perform NAT, you must use unique interfaces.
Note
This section includes the following topics:
•
NAT and Origination of Traffic
The type of NAT configured determines whether the traffic can originate on the shared interface or if it can only respond to an existing connection. When you use dynamic NAT, you cannot initiate a connection to the real addresses. Therefore, traffic from the shared interface must be in response to an existing connection. Static NAT, however, lets you initiate connections, so you can initiate connections on the shared interface.
Sharing an Outside Interface
When you have an outside shared interface (connected to the Internet, for example), the destination addresses on the inside are limited, and are known by the system administrator, so configuring NAT for those addresses is easy, even if you want to configure static NAT.
Sharing an Inside Interface
Configuring an inside shared interface poses a problem, however, if you want to allow communication between the shared interface and the Internet, where the destination addresses are unlimited. For example, if you want to allow inside hosts on the shared interface to initiate traffic to the Internet, then you need to configure static NAT statements for each Internet address. This requirement necessarily limits the kind of Internet access you can provide for users on an inside shared interface. (If you intend to statically translate addresses for Internet servers, then you also need to consider DNS entry addresses and how NAT affects them. For example, if a server sends a packet to www.example.com, then the DNS server needs to return the translated address. Your NAT configuration determines DNS entry management.)
Figure 4-4 shows two servers on an inside shared interface. One server sends a packet to the translated address of a web server, and the FWSM classifies the packet to go through Context C because it includes a static translation for the address. The other server sends the packet to the real untranslated address, and the packet is dropped because the FWSM cannot classify it.
Figure 4-4 Originating Traffic on a Shared Interface
Management Access to Security Contexts
The FWSM provides system administrator access in multiple context mode as well as access for individual context administrators. The following topics describe logging in as a system administrator or as a context administrator:
System Administrator Access
You can access the FWSM as a system administrator in two ways:
•
From the switch, you access the system execution space.
•
See Chapter 23 "Configuring Management Access," to enable Telnet, SSH, and SDM access.
As the system administrator, you can access all contexts.
When you change to a context from admin or the system, your username changes to the default "enable_15" username. If you configured command authorization in that context, you need to either configure authorization privileges for the "enable_15" user, or you can log in as a different name for which you provide sufficient privileges in the command authorization configuration for the context. To log in with a username, enter the login command.
For example, you log in to the admin context with the username "admin." The admin context does not have any command authorization configuration, but all other contexts include command authorization. For convenience, each context configuration includes a user "admin" with maximum privileges. When you change from the admin context to context A, your username is altered, so you must log in again as "admin" by entering the login command. When you change to context B, you must again enter the login command to log in as "admin."
Context Administrator Access
You can access a context using Telnet, SSH, or ASDM. If you log in to a non-admin context, you can only access the configuration for that context. You can provide individual logins to the context. See Chapter 23 "Configuring Management Access," to enable Telnet, SSH, and SDM access and to configure management authentication.
Enabling or Disabling Multiple Context Mode
Your FWSM might already be configured for multiple security contexts depending on how you ordered it from Cisco. If you are upgrading, however, you might need to convert from single mode to multiple mode by following the procedures in this section. ASDM does not support changing modes, so you need to change modes using the CLI.
This section includes the following topics:
•
•
•
Backing Up the Single Mode Configuration
When you convert from single mode to multiple mode, the FWSM converts the running configuration into two files. The original startup configuration is not saved, so if it differs from the running configuration, you should back it up before proceeding.
Enabling Multiple Context Mode
The context mode (single or multiple) is not stored in the configuration file, even though it does endure reboots. If you need to copy your configuration to another device, set the mode on the new device to match using the mode command.
When you convert from single mode to multiple mode, the FWSM converts the running configuration into two files: a new startup configuration that comprises the system configuration, and admin.cfg that comprises the admin context (in the root directory of the internal flash memory). The original running configuration is saved as old_running.cfg (in the root directory of the internal flash memory). The original startup configuration is not saved. The FWSM automatically adds an entry for the admin context to the system configuration with the name "admin."
To enable multiple mode, enter the following command:
hostname(config)# mode multipleYou are prompted to reboot the FWSM.
Restoring Single Context Mode
If you convert from multiple mode to single mode, you might want to first copy a full startup configuration (if available) to the FWSM; the system configuration inherited from multiple mode is not a complete functioning configuration for a single mode device. For example, you can restore the old single-mode running configuration, if available, as the startup configuration. Because the system configuration does not have any network interfaces as part of its configuration, you must access the FWSM from a switch session to perform the copy.
To copy the old running configuration to the startup configuration and to change the mode to single mode, perform the following steps in the system execution space:
Step 1
hostname(config)# copy old_running.cfg startup-configStep 2
hostname(config)# mode singleThe FWSM reboots.
Managing Memory for Rules
The FWSM supports a fixed number of rules for the entire system. In multiple context mode, the FWSM partitions the memory allocated to rule configuration, and assigns each context to a partition. This section describes how rule allocation works and how to manage memory partitions; it includes the following topics:
•
•
•
About Memory Partitions
In multiple context mode, the FWSM partitions the memory allocated to rule configuration, and assigns each context to a partition. By default, a context belongs to one of 12 partitions that offers a maximum number rules, including ACEs, AAA rules, and others. See the "Default Rule Allocation" section for a list of rule limits.
The FWSM assigns contexts to the partitions in the order they are loaded at startup. For example, if you have 12 contexts and the maximum number of rules is 14,103, each context is assigned to its own partition, and can use 14,103 rules. If you add one more context, then context number 1 and the new context number 13 are both assigned to partition 1, and can use 14,103 rules divided between them; the other 11 contexts continue to use 14,103 rules each. If you delete contexts, the partition membership does not shift, so you might have some unequal distribution until you reboot, at which time the contexts are evenly distributed.
Note
You can manage memory partitions by manually assigning a context to a partition (see the "Configuring a Security Context" section); reducing the number of partitions to better match the number of contexts you have (see the "Setting the Number of Memory Partitions" section); changing the size of a partition (see the "Changing the Memory Partition Size" section); and reallocating rules between features (see the "Reallocating Rules Between Features for a Specific Memory Partition" section).
Default Rule Allocation
Table 4-1 lists the default number of rules for each feature type in multiple context mode, for the default 12 memory partitions.
Note
Table 4-1 Default Rule Allocation
AAA Rules
1345
ACEs
14,801
established commands2
96
Filter Rules
576
ICMP, Telnet, SSH, and HTTP Rules
384
Policy NAT ACEs3
384
Inspect Rules
1537
Total Rules
19,219
1 Use the show resource rule command to view the default values for partitions other than 12.
2 Each established command creates a control and data rule, so this value is doubled in the Total Rules value.
3 This limit is lower than in release 2.3.
Setting the Number of Memory Partitions
When increasing the number of partitions, the default size of each partition is reduced. If you manually configured the partition sizes (see the "Changing the Memory Partition Size" section), the sizes you set might not be compatible with the new smaller partition sizes. If the current configured sizes do not fit into the new partitions, then the FWSM rejects the new memory partition configuration.
The FWSM also checks the rule allocation (see the "Reallocating Rules Between Features for a Specific Memory Partition" section). If you manually allocated rules between features so that the total number of rules allocated is now greater than those available, then the FWSM rejects the new memory partition configuration. Similarly, if the absolute maximum number of rules for a feature is now exceeded, then the FWSM rejects the new memory partition configuration.
Note
Guidelines
Caution
•
•
Detailed Steps
To change the number of memory partitions, perform the following steps:
Step 1
hostname(config)# show resource acl-partitionFor example, the following output shows that 2 memory partitions are configured:
hostname(config)# show resource acl-partitionTotal number of configured partitions = 2Partition #0Mode :exclusiveList of Contexts :bandn, bordersNumber of contexts :2(RefCount:2)Number of rules :0(Max:53087)Partition #1Mode :non-exclusiveList of Contexts :admin, momandpopA, momandpopB, momandpopCmomandpopDNumber of contexts :5(RefCount:5)Number of rules :6(Max:53087)For information about exclusive and non-exclusive partitions, see the "Configuring a Security Context" section.
Step 2
hostname(config)# resource acl-partition number_of_partitionsWhere number_of_partitions is between 1 and 12.
Note
If you later enter clear configure all to restore the default configuration, the resource acl-partition command is not changed back to the default. You must enter the no resource acl-partition command to restore the default for this command.You see the following message:
WARNING: This command leads to re-partitioning of ACL Memory.It will not take affect until you save the configuration and reboot.Step 3
hostname(config)# reloadIf you are using failover, wait a few seconds before reloading the standby unit as well; the standby unit does not reload automatically, and the memory partitions must match on both units. Traffic loss can occur because both units are down at the same time.
Note
Changing the Memory Partition Size
The FWSM lets you set the memory size of each partition.
Note
Guidelines
Caution
•
•
•
•
•
•
•
•
Detailed Steps
To set the size of the memory partitions, perform the following steps:
Step 1
hostname(config)# show resource partitionFor example, the following output shows that each of 12 partitions have the default 19,219 rules (this is an example only, and might differ from the actual number of rules for your system). The backup tree always matches the largest partition size, so it also has 19,219 rules, for a total of 249,847 rules.
hostname(config)# show resource partitionBootup CurrentPartition Default Partition ConfiguredNumber Size Size Size-----------+---------+----------+-----------0 19219 19219 192191 19219 19219 192192 19219 19219 192193 19219 19219 192194 19219 19219 192195 19219 19219 192196 19219 19219 192197 19219 19219 192198 19219 19219 192199 19219 19219 1921910 19219 19219 1921911 19219 19219 19219backup tree 19219 19219 19219-----------+---------+----------+-----------Total 249847 249847 249847Total Partition size - Configured size = Available to allocate249847 - 249847 = 0You can also view the current mapping of contexts to partitions using the show resource acl-partition command.
Step 2
hostname(config)# resource partition numberWhere number is between 0 and 11 by default. If you changed the number of partitions, the partition numbering starts with 0. So if you have 10 partitions, the partition numbers are 0 through 9.
Step 3
hostname(config-partition)# size number_of_rulesWhere number is the number of rules you want to assign to the partition, in this case a lower number than was shown in the show resource partition command. Use the no form of this command to return to the default.
Step 4
Step 5
For example, if you reduced the sizes of partitions 0 through 5 to 15,000, then the output shows that you have 25,314 rules to reallocate to other partitions.
hostname(config)# show resource partitionBootup CurrentPartition Default Partition ConfiguredNumber Size Size Size-----------+---------+----------+-----------0 19219 19219 150001 19219 19219 150002 19219 19219 150003 19219 19219 150004 19219 19219 150005 19219 19219 150006 19219 19219 192197 19219 19219 192198 19219 19219 192199 19219 19219 1921910 19219 19219 1921911 19219 19219 19219backup tree 19219 19219 19219-----------+---------+----------+-----------Total 249847 249847 224533Total Partition size - Configured size = Available to allocate249847 - 224533 = 25314If you want to distribute the rules evenly across the other 6 partitions plus the backup tree, then you can add 3616 rules to each (with 2 left over). Remember that the backup tree must be as large as the largest partition, so you must consider the backup tree in your calculations. For example, if you want to make partition 6 have 24,001 rules, then you can allocate the rules like this:
Step 6
hostname(config)# resource partition numberWhere number is between 0 and 11 by default. If you changed the number of partitions, the partition numbering starts with 0. So if you have 10 partitions, the partition numbers are 0 through 9.
Step 7
hostname(config-partition)# size number_of_rulesWhere number is the number of rules you want to assign to the partition, in this case a higher number than was shown in the show resource partition command. Use the no form of this command to return to the default.
Step 8
Step 9
hostname(config)# reloadIf you are using failover, wait a few seconds before reloading the standby unit as well; the standby unit does not reload automatically, and the memory partition sizes must match on both units. Traffic loss can occur because both units are down at the same time.
Note
For example, if you have 4 partitions, and you want to reduce partitions 0 and 1 to 40000, while increasing partitions 2 and 3 to 56616 and 56615 respectively, enter the following commands:
hostname(config)# show resource partitionBootup CurrentPartition Default Partition ConfiguredNumber Size Size Size-----------+---------+----------+-----------0 49970 49970 499701 49969 49969 499692 49969 49969 499693 49969 49969 49969backup tree 49970 49970 49970-----------+---------+----------+-----------Total 249847 249847 249847Total Partition size - Configured size = Available to allocate249847 - 249847 = 0hostname(config)# resource partition 0hostname(config-partition)# size 40000hostname(config-partition)# resource partition 1hostname(config-partition)# size 40000hostname(config-partition)# show resource partitionBootup CurrentPartition Default Partition ConfiguredNumber Size Size Size-----------+---------+----------+-----------0 49970 49970 400001 49969 49969 400002 49969 49969 499693 49969 49969 49969backup tree 49970 49970 49969-----------+---------+----------+-----------Total 249847 249847 249847Total Partition size - Configured size = Available to allocate249847 - 229907 = 19940hostname(config-partition)# resource partition 2hostname(config-partition)# size 56616hostname(config-partition)# resource partition 3hostname(config-partition)# size 56615hostname(config-partition)# show resource partitionBootup CurrentPartition Default Partition ConfiguredNumber Size Size Size-----------+---------+----------+-----------0 49970 49970 400001 49969 49969 400002 49969 49969 566163 49969 49969 56615backup tree 49970 49970 56616-----------+---------+----------+-----------Total 249847 249847 249847Total Partition size - Configured size = Available to allocate249847 - 249847 = 0hostname(config-partition)# reloadReallocating Rules Between Features for a Specific Memory Partition
To set the rule allocation globally for all partitions, see the "Reallocating Rules Between Features" section. Setting the rule allocation for a specific partition overrides the global setting.
Guidelines
Caution
•
•
Detailed Steps
To reallocate rules for a given partition, perform the following steps:
Step 1
hostname(config)# show resource rule partition [number]For example, the following display shows the maximum rules as 19219 for partition 0 (this is an example only, and might differ from the actual number of rules for your system):
hostname(config)# show resource rule partition 0Default Configured AbsoluteCLS Rule Limit Limit Max-----------+---------+----------+---------Policy NAT 384 384 833ACL 14801 14801 14801Filter 576 576 1152Fixup 1537 1537 3074Est Ctl 96 96 96Est Data 96 96 96AAA 1345 1345 2690Console 384 384 768-----------+---------+----------+---------Total 19219 19219Partition Limit - Configured Limit = Available to allocate19219 - 19219 = 0
Note
Step 2
hostname(config)# show np 3 acl count partition_numberWhere partition_number is between 0 and 11 by default. If you changed the number of partitions, the partition numbering starts with 0. So if you have 10 partitions, the partition numbers are 0 through 9.
For example, the following is sample output from the show np 3 acl count command, and shows the number of inspections (Fixup Rule) close to the maximum of 9216. You might choose to reallocate some access list rules (ACL Rule) to inspections.
hostname(config)# show np 3 acl count 0-------------- CLS Rule Current Counts --------------CLS Filter Rule Count : 0CLS Fixup Rule Count : 9001CLS Est Ctl Rule Count : 4CLS AAA Rule Count : 15CLS Est Data Rule Count : 4CLS Console Rule Count : 16CLS Policy NAT Rule Count : 0CLS ACL Rule Count : 30500CLS ACL Uncommitted Add : 0CLS ACL Uncommitted Del : 0...
Note
Step 3
hostname(config)# resource partition numberWhere number is between 0 and 11 by default. If you changed the number of partitions, the partition numbering starts with 0. So if you have 10 partitions, the partition numbers are 0 through 9.
Step 4
hostname(config-partition)# rule nat {max_policy_nat_rules | current | default | max} acl {max_ace_rules | current | default | max} filter {max_filter_rules | current | default | max} fixup {max_inspect_rules | current | default | max} est {max_established_rules | current | default | max} aaa {max_aaa_rules | current | default | max} console {max_console_rules | current | default | max}You must enter all arguments in this command. This command takes effect immediately.
The nat max_nat_rules arguments set the maximum number of policy NAT ACEs, between 0 and 10000.
The acl max_nat_rules arguments set the maximum number of ACEs, between 0 and the system limit. The system limit depends on how many memory partitions you configured. See Step 1 to use the show resource rule command.
The filter max_nat_rules arguments set the maximum number of filter rules, between 0 and 6000.
The fixup max_nat_rules arguments set the maximum number of inspect rules, between 0 and 10000.
The est max_nat_rules arguments set the maximum number of established commands, between 0 and 716. The established command creates two types of rules, control and data. Both of these types are shown in the show np 3 acl count and show resource rules display, but you set both rules using the est keyword, which correlates with the number of established commands. Be sure to double the value you enter here when comparing the total number of configured rules with the total number of rules shown in the show commands.
The aaa max_nat_rules arguments set the maximum number of AAA rules, between 0 and 10000.
The console max_nat_rules arguments set the maximum number of ICMP, Telnet, SSH, and HTTP rules, between 0 and 4000.
The current keyword keeps the current value set.
The default keyword sets the maximum rules to the default.
The max keyword sets the rules to the maximum allowed for the feature. Be sure to set other features lower to accommodate this value.
For example for partition 0, to reallocate 999 rules from the default 14,801 ACEs to inspections (default 9001), enter the following command:
hostname(config)# resource partition 0hostname(config-partition)# rule nat default acl 13802 filter default fixup 10000 est default aaa default console defaultConfiguring Resource Management
By default, all security contexts have unlimited access to the resources of the FWSM, except where maximum limits per context are enforced. However, if you find that one or more contexts use too many resources, and they cause other contexts to be denied connections, for example, then you can configure resource management to limit the use of resources per context.
Note
This section includes the following topics:
•
Classes and Class Members Overview
The FWSM manages resources by assigning contexts to resource classes. Each context uses the resource limits set by the class. This section includes the following topics:
Resource Limits
When you create a class, the FWSM does not set aside a portion of the resources for each context assigned to the class; rather, the FWSM sets the maximum limit for a context. If you oversubscribe resources, or allow some resources to be unlimited, a few contexts can "use up" those resources, potentially affecting service to other contexts.
You can set the limit for all resources together as a percentage of the total available for the device. Also, you can set the limit for individual resources as a percentage or as an absolute value.
You can oversubscribe the FWSM by assigning more than 100 percent of the resources across all contexts. For example, you can set the Bronze class to limit connections to 20 percent per context, and then assign 10 contexts to the class for a total of 200 percent. If contexts concurrently use more than the system limit, then each context gets less than the 20 percent you intended. (See Figure 4-5.)
Figure 4-5 Resource Oversubscription
The FWSM lets you assign unlimited access to one or more resources in a class, instead of a percentage or absolute number. When a resource is unlimited, contexts can use as much of the resource as the system has available. For example, Context A, B, and C are in the Silver Class, which limits each class member to 1 percent of the system inspections per second, for a total of 3 percent; but the three contexts are currently only using 2 percent combined. Gold Class has unlimited access to inspections. The contexts in the Gold Class can use more than the 97 percent of "unassigned" inspections; they can also use the 1 percent of inspections not currently in use by Context A, B, and C, even if that means that Context A, B, and C are unable to reach their 3 percent combined limit. (See Figure 4-6.) Setting unlimited access is similar to oversubscribing the FWSM, except that you have less control over how much you oversubscribe the system.
Figure 4-6 Unlimited Resources
Default Class
All contexts belong to the default class if they are not assigned to another class; you do not have to actively assign a context to the default class.
If a context belongs to a class other than the default class, those class settings always override the default class settings. However, if the other class has any settings that are not defined, then the member context uses the default class for those limits. For example, if you create a class with a 2 percent limit for all concurrent connections, but no other limits, then all other limits are inherited from the default class. Conversely, if you create a class with a 2 percent limit for all resources, the class uses no settings from the default class.
By default, the default class provides unlimited access to resources for all contexts, except for the following limits, which are by default set to the maximum allowed per context:
•
•
•
•
Figure 4-7 shows the relationship between the default class and other classes. Contexts A and C belong to classes with some limits set; other limits are inherited from the default class. Context B inherits no limits from default because all limits are set in its class, the Gold class. Context D was not assigned to a class, and is by default a member of the default class.
Figure 4-7 Resource Classes
Class Members
To use the settings of a class, assign the context to the class when you define the context. All contexts belong to the default class if they are not assigned to another class; you do not have to actively assign a context to default. You can only assign a context to one resource class. The exception to this rule is that limits that are undefined in the member class are inherited from the default class; so in effect, a context could be a member of default plus another class.
Configuring a Class
To configure a class in the system configuration, perform the following steps. You can change the value of a particular resource limit by reentering the command with a new value.
Step 1
hostname(config)# class nameThe name is a string up to 20 characters long. To set the limits for the default class, enter default for the name.
Step 2
•
hostname(config-resmgmt)# limit-resource all {number% | 0}The number is an integer greater than or equal to 1. 0 (without a percent sign (%)) sets the resources to the system limit. You can assign more than 100 percent if you want to oversubscribe the device.
•
hostname(config-resmgmt)# limit-resource [rate] resource_name number[%]For this particular resource, the limit overrides the limit set for all. Enter the rate argument to set the rate per second for certain resources. See Table 4-2 for resources for which you can set the rate per second.
Table 4-2 lists the resource types and the limits. See also the show resource types command.
For example, to set the default class limit for conns to 10 percent instead of unlimited, enter the following commands:
hostname(config)# class defaulthostname(config-class)# limit-resource conns 10%All other resources remain at unlimited.
To add a class called gold with all resources set to 5 percent, except for fixups, with a setting of 10 percent, enter the following commands:
hostname(config)# class goldhostname(config-class)# limit-resource all 5%hostname(config-class)# limit-resource fixups 10%To add a class called silver with all resources set to 3 percent, except for syslogs, with a setting of 500 per second, enter the following commands:
hostname(config)# class silverhostname(config-class)# limit-resource all 3%hostname(config-class)# limit-resource rate syslogs 500Configuring a Security Context
The security context definition in the system configuration identifies the context name, configuration file URL, interfaces that a context can use, and other context parameters.
Note
If you do not have an admin context (for example, if you clear the configuration) then you must first specify the admin context name by entering the following command:hostname(config)#admin-context name
Although this context name does not yet exist in your configuration, you can subsequently enter the context name command to match the specified name to continue the admin context configuration.
To configure a context in the system configuration, perform the following steps:
Step 1
hostname(config)# context nameThe name is a string up to 32 characters long. This name is case sensitive, so you can have two contexts named "customerA" and "CustomerA," for example. You can use letters, digits, or hyphens, but you cannot start or end the name with a hyphen.
"System" or "Null" (in upper or lower case letters) are reserved names, and cannot be used.
Step 2
hostname(config-ctx)# description textStep 3
hostname(config-ctx)# allocate-interface vlannumber[-vlannumber] [map_name[-map_name] [invisible | visible]]You can enter this command multiple times to specify different ranges. If you remove an allocation with the no form of this command, then any context commands that include this interface are removed from the running configuration.
Enter a VLAN number or a range of VLANs, typically from 2 to 1000 and from 1025 to 4094 (see the switch documentation for supported VLANs). To see a list of VLANs assigned to the FWSM, use the show vlan command. You can allocate a VLAN that is not yet assigned to the FWSM, but you need to assign them from the switch if you want them to pass traffic. When you allocate an interface, the FWSM automatically adds the interface command for each VLAN in the system configuration.
You can assign the same VLANs to multiple contexts in routed mode, if desired. See the "Sharing Interfaces Between Contexts" section for more information about shared VLAN limitations.
The map_name is an alphanumeric alias for the interface that can be used within the context instead of the VLAN ID. If you do not specify a mapped name, the VLAN ID is used within the context. For security purposes, you might not want the context administrator to know which interfaces are being used by the context. You can use the same name in multiple contexts; the VLAN ID in multiple contexts can be the same or different for a given name. You cannot use the same name for different VLAN IDs in the same context.
A mapped name must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, or an underscore. For example, you can use the following names:
int0intaint_0If you specify a range of VLAN IDs, you can specify a matching range of mapped names. Follow these guidelines for ranges:
•
int0-int10•
vlan100-vlan199 int1-int100If you enter vlan100-vlan199 int1-int15 or vlan100-vlan199 happy1-sad5, for example, the command fails.
If you set a mapped name, specify visible to see the VLAN ID in addition to the mapped name in the show interface command. The default invisible keyword specifies to only show the mapped name.
The following example shows VLANs 100, 200, and 300 through 305 assigned to the context. The mapped names are int1 through int8.
hostname(config-ctx)# allocate-interface vlan100 int1hostname(config-ctx)# allocate-interface vlan200 int2hostname(config-ctx)# allocate-interface vlan300-vlan305 int3-int8Step 4
hostname(config-ctx)# config-url urlWhen you add a context URL, the system immediately loads the context so that it is running, if the configuration is available.
Note
See the following URL syntax:
•
This URL indicates the internal flash memory. The filename does not require a file extension, although we recommend using ".cfg". If the configuration file is not available, you see the following message:
WARNING: Could not fetch the URL disk:/urlINFO: Creating context with default configYou can then change to the context, configure it at the CLI, and enter the write memory command to write the file to flash memory.
Note
•
The type can be one of the following keywords:
–
–
–
–
The server must be accessible from the admin context. The filename does not require a file extension, although we recommend using ".cfg". If the configuration file is not available, you see the following message:
WARNING: Could not fetch the URL ftp://urlINFO: Creating context with default configYou can then change to the context, configure it at the CLI, and enter the write memory command to write the file to the FTP server.
•
The server must be accessible from the admin context. The filename does not require a file extension, although we recommend using ".cfg". If the configuration file is not available, you see the following message:
WARNING: Could not fetch the URL http://urlINFO: Creating context with default configIf you change to the context and configure the context at the CLI, you cannot save changes back to HTTP or HTTPS servers using the write memory command. You can, however, use the copy tftp command to copy the running configuration to a TFTP server.
•
The server must be accessible from the admin context. Specify the interface name if you want to override the route to the server address. The filename does not require a file extension, although we recommend using ".cfg". If the configuration file is not available, you see the following message:
WARNING: Could not fetch the URL tftp://urlINFO: Creating context with default configYou can then change to the context, configure it at the CLI, and enter the write memory command to write the file to the TFTP server.
To change the URL, reenter the config-url command with a new URL.
See the "Changing the Security Context URL" section for more information about changing the URL.
For example, enter the following command:
hostname(config-ctx)# config-url ftp://user1:passw0rd1@10.1.1.1/configlets/test.cfgStep 5
hostname(config-ctx)# member class_nameIf you do not specify a class, the context belongs to the default class. You can only assign a context to one resource class.
For example, to assign the context to the gold class, enter the following command:
hostname(config-ctx)# member goldStep 6
hostname(config-ctx)# allocate-acl-partition partition_numberThe partition_number is an integer from 0 to the number of partitions available, minus 1. The default is 12 partitions, so the range is 0 to 11. See the "Setting the Number of Memory Partitions" section to configure the number of memory partitions.
When you assign a context to a partition, then the partition becomes exclusive. An exclusive partition only includes contexts that you specifically assign to it. Partitions that do not have contexts specifically assigned to them are non-exclusive and contexts are allocated to them in a round-robin fashion.
Note
For example, to assign the context to the first partition, enter the following command:
hostname(config-ctx)# allocate-acl-partition 0The following example sets the admin context to be "administrator," creates a context called "administrator" on the internal flash memory, and then adds two contexts from an FTP server:
hostname(config)# admin-context administratorhostname(config)# context administratorhostname(config-ctx)# allocate-interface vlan10hostname(config-ctx)# allocate-interface vlan11hostname(config-ctx)# config-url disk:/admin.cfghostname(config-ctx)# context testhostname(config-ctx)# allocate-interface vlan100 int1hostname(config-ctx)# allocate-interface vlan102 int2hostname(config-ctx)# allocate-interface vlan110-vlan115 int3-int8hostname(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/test.cfghostname(config-ctx)# member goldhostname(config-ctx)# allocate-acl-partition 0hostname(config-ctx)# context samplehostname(config-ctx)# allocate-interface vlan200 int1hostname(config-ctx)# allocate-interface vlan212 int2hostname(config-ctx)# allocate-interface vlan230-vlan235 int3-int8hostname(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/sample.cfghostname(config-ctx)# member silverChanging Between Contexts and the System Execution Space
If you log in to the system execution space (or the admin context using Telnet or SSH), you can change between contexts and perform configuration and monitoring tasks within each context. The running configuration that you edit in a configuration mode, or that is affected by the copy or write commands, depends on your location. When you are in the system execution space, the running configuration consists only of the system configuration; when you are in a context, the running configuration consists only of that context. For example, you cannot view all running configurations (system plus all contexts) by entering the show running-config command. Only the current configuration displays. You can, however, save all context running configurations from the system execution space using the write memory all command.
For information about command authorization when you change between contexts, see the "Management Access to Security Contexts" section.
To change between the system execution space and a context, or between contexts, see the following commands:
•
hostname# changeto context nameThe prompt changes to the following:
hostname/name#•
hostname/admin# changeto systemThe prompt changes to the following:
hostname#Managing Security Contexts
This section describes how to manage security contexts, and includes the following topics:
•
Removing a Security Context
You can only remove a context by editing the system configuration. You cannot remove the current admin context, unless you remove all contexts using the clear context command.
Note
Use the following commands for removing contexts:
•
hostname(config)# no context name•
hostname(config)# clear contextChanging the Admin Context
The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context.
The admin context is just like any other context, except that when a user logs in to the admin context, then that user has system administrator rights and can access the system and all other contexts. The admin context is not restricted in any way, and can be used as a regular context. However, because logging into the admin context grants you administrator privileges over all contexts, you might need to restrict access to the admin context to appropriate users.
You can set any context to be the admin context, as long as the configuration file is stored in the internal flash memory. To set the admin context, enter the following command in the system execution space:
hostname(config)# admin-context context_nameAny remote management sessions, such as Telnet, SSH, or HTTPS, that are connected to the admin context are terminated. You must reconnect to the new admin context.
Note
Changing the Security Context URL
You cannot change the security context URL without reloading the configuration from the new URL.
The FWSM merges the new configuration with the current running configuration. Reentering the same URL also merges the saved configuration with the running configuration. A merge adds any new commands from the new configuration to the running configuration. If the configurations are the same, no changes occur. If commands conflict or if commands affect the running of the context, then the effect of the merge depends on the command. You might get errors, or you might have unexpected results. If the running configuration is blank (for example, if the server was unavailable and the configuration was never downloaded), then the new configuration is used. If you do not want to merge the configurations, you can clear the running configuration, which disrupts any communications through the context, and then reload the configuration from the new URL.
To change the URL for a context, perform the following steps:
Step 1
hostname# changeto context namehostname/name# configure terminalhostname/name(config)# clear configure allStep 2
hostname/name(config)# changeto systemStep 3
hostname(config)# context nameStep 4
hostname(config)# config-url new_urlThe system immediately loads the context so that it is running.
Reloading a Security Context
You can reload the context in two ways:
•
This action clears most attributes associated with the context, such as connections and NAT tables.
•
This action clears additional attributes, such as memory allocation, which might be useful for troubleshooting. However, to add the context back to the system requires you to respecify the URL and interfaces.
This section includes the following topics:
•
•
Reloading by Clearing the Configuration
To reload the context by clearing the context configuration, and reloading the configuration from the URL, perform the following steps:
Step 1
hostname# changeto context nameStep 2
hostname/name# configure terminalStep 3
hostname/name(config)# clear configure allThis command clears all connections.
Step 4
hostname/name(config)# copy startup-config running-configThe FWSM copies the configuration from the URL specified in the system configuration. You cannot change the URL from within a context.
Reloading by Removing and Readding the Context
To reload the context by removing the context and then readding it, perform the steps in the following topics:
1.
2.
Monitoring Security Contexts
This section describes how to view and monitor context information, and includes the following topics:
•
Viewing Context Information
From the system execution space, you can view a list of contexts including the name, allocated interfaces, and configuration file URL.
From the system execution space, view all contexts by entering the following command:
hostname# show context [name | detail| count]The detail option shows additional information. See the following sample displays for more information.
If you want to show information for a particular context, specify the name.
The count option shows the total number of contexts.
The following is sample output from the show context command. The following sample display shows three contexts:
hostname# show contextContext Name Class Interfaces Mode URL*admin default Vlan100,101 Routed disk:/admin.cfgcontexta Gold Vlan200,201 Transparent disk:/contexta.cfgcontextb Silver Vlan300,301 Routed disk:/contextb.cfgTotal active Security Contexts: 3Table 4-3 shows each field description.
The following is sample output from the show context detail command:
hostname# show context detailContext "admin", has been created, but initial ACL rules not completeConfig URL: disk:/admin.cfgReal Interfaces: Vlan100Mapped Interfaces: Vlan100Class: default, Flags: 0x00000013, ID: 1Context "ctx", has been created, but initial ACL rules not completeConfig URL: disk:/ctx.cfgReal Interfaces: Vlan10,20,30Mapped Interfaces: int1, int2, int3Class: default, Flags: 0x00000011, ID: 2Context "system", is a system resourceConfig URL: startup-configReal Interfaces:Mapped Interfaces: Vlan100,10,20,30Class: default, Flags: 0x00000019, ID: 257Context "null", is a system resourceConfig URL: ... null ...Real Interfaces:Mapped Interfaces:Class: default, Flags: 0x00000009, ID: 258See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference for more information about the detail output.
The following is sample output from the show context count command:
hostname# show context countTotal active contexts: 2Viewing Resource Allocation
From the system execution space, you can view the allocation for each resource across all classes and class members.
To view the resource allocation, enter the following command:
hostname# show resource allocation [detail]This command shows the resource allocation, but does not show the actual resources being used. See the "Viewing Resource Usage" section for more information about actual resource usage.
The detail argument shows additional information. See the following sample displays for more information.
The following is sample output from the show resource allocation comamnd, and shows the total allocation of each resource as an absolute value and as a percentage of the available system resources:
hostname# show resource allocationResource Total % of AvailConns [rate] 35000 35.00%Fixups [rate] 35000 35.00%Syslogs [rate] 10500 35.00%Conns 305000 30.50%Hosts 78842 30.07%IPsec 7 35.00%SSH 35 35.00%Telnet 35 35.00%Xlates 91749 34.99%All unlimitedTable 4-4 shows each field description.
The following is sample putput from the show resource allocation detail command:
hostname# show resource allocation detailResource Origin:A Value was derived from the resource 'all'C Value set in the definition of this classD Value set in default classResource Class Mmbrs Origin Limit Total Total %Conns [rate] default all CA unlimitedgold 1 C 34000 34000 20.00%silver 1 CA 17000 17000 10.00%bronze 0 CA 8500All Contexts: 3 51000 30.00%Fixups [rate] default all CA unlimitedgold 1 DA unlimitedsilver 1 CA 10000 10000 10.00%bronze 0 CA 5000All Contexts: 3 10000 10.00%Syslogs [rate] default all CA unlimitedgold 1 C 6000 6000 20.00%silver 1 CA 3000 3000 10.00%bronze 0 CA 1500All Contexts: 3 9000 30.00%Conns default all CA unlimitedgold 1 C 200000 200000 20.00%silver 1 CA 100000 100000 10.00%bronze 0 CA 50000All Contexts: 3 300000 30.00%Hosts default all CA unlimitedgold 1 DA unlimitedsilver 1 CA 26214 26214 9.99%bronze 0 CA 13107All Contexts: 3 26214 9.99%IPSec default all C 5gold 1 D 5 5 50.00%silver 1 CA 1 1 10.00%bronze 0 CA unlimitedAll Contexts: 3 11 110.00%SSH default all C 5gold 1 D 5 5 5.00%silver 1 CA 10 10 10.00%bronze 0 CA 5All Contexts: 3 20 20.00%Telnet default all C 5gold 1 D 5 5 5.00%silver 1 CA 10 10 10.00%bronze 0 CA 5All Contexts: 3 20 20.00%Xlates default all CA unlimitedgold 1 DA unlimitedsilver 1 CA 23040 23040 10.00%bronze 0 CA 11520All Contexts: 3 23040 10.00%mac-addresses default all C 65535gold 1 D 65535 65535 100.00%silver 1 CA 6553 6553 9.99%bronze 0 CA 3276All Contexts: 3 137623 209.99%Table 4-5 shows each field description.
Viewing Resource Usage
From the system execution space, you can view the resource usage for each context and display the system resource usage.
From the system execution space, view the resource usage for each context by entering the following command:
hostname# show resource usage [context context_name | top n | all | summary | system] [resource {resource_name | all} | detail] [counter counter_name [count_threshold]]By default, all context usage is displayed; each context is listed separately.
Enter the top n keyword to show the contexts that are the top n users of the specified resource. You must specify a single resource type, and not resource all, with this option.
The summary option shows all context usage combined.
The system option shows all context usage combined, but shows the system limits for resources instead of the combined context limits.
For the resource resource_name, see Table 4-2 for available resource names. See also the show resource type command. Specify all (the default) for all types.
The detail option shows the resource usage of all resources, including those you cannot manage. For example, you can view the number of TCP intercepts.
The counter counter_name is one of the following keywords:
•
•
•
•
The count_threshold sets the number above which resources are shown. The default is 1. If the usage of the resource is below the number you set, then the resource is not shown. If you specify all for the counter name, then the count_threshold applies to the current usage.
Note
The following is sample output from the show resource usage context command, which shows the resource usage for the admin context:
hostname# show resource usage context adminResource Current Peak Limit Denied ContextTelnet 1 1 5 0 adminConns 44 55 N/A 0 adminHosts 45 56 N/A 0 adminThe following is sample output from the show resource usage summary command, which shows the resource usage for all contexts and all resources. This sample shows the limits for 6 contexts.
hostname# show resource usage summaryResource Current Peak Limit Denied ContextSyslogs [rate] 1743 2132 12000(U) 0 SummaryConns 584 763 100000(S) 0 SummaryXlates 8526 8966 93400 0 SummaryHosts 254 254 262144 0 SummaryConns [rate] 270 535 42200 1704 SummaryFixups [rate] 270 535 100000(S) 0 SummaryU = Some contexts are unlimited and are not included in the total.S = System limit: Combined context limits exceed the system limit; the system limit is shown.The following is sample output from the show resource usage system counter all 0 command, which shows the resource usage for all contexts, but it shows the system limit instead of the combined context limits:
hostname# show resource usage system counter all 0Resource Current Peak Limit Denied ContextTelnet 0 0 100 0 SystemSSH 0 0 100 0 SystemASDM 0 0 80 0 SystemIPSec 0 0 10 0 SystemSyslogs [rate] 0 0 30000 0 SystemConns 0 0 1000000 0 SystemXlates 0 0 262144 0 SystemHosts 0 0 262144 0 SystemConns [rate] 0 0 170000 0 SystemFixups [rate] 0 0 100000 0 SystemMac-addresses 0 0 65535 0 SystemMonitoring SYN Attacks in Contexts
The FWSM prevents SYN attacks using TCP Intercept. TCP Intercept uses the SYN cookies algorithm to prevent TCP SYN-flooding attacks. A SYN-flooding attack consists of a series of SYN packets usually originating from spoofed IP addresses. The constant flood of SYN packets keeps the server SYN queue full, which prevents it from servicing connection requests. When the embryonic connection threshold of a connection is crossed, the FWSM acts as a proxy for the server and generates a SYN-ACK response to the client SYN request. When the FWSM receives an ACK back from the client, it can then authenticate the client and allow the connection to the server.
You can monitor the rate of attacks for individual contexts using the show perfmon command; you can monitor the amount of resources being used by TCP intercept for individual contexts using the show resource usage detail command; you can monitor the resources being used by TCP intercept for the entire system using the show resource usage summary detail command.
The following is sample output from the show perfmon command that shows the rate of TCP intercepts for a context called admin:
hostname/admin# show perfmonContext:adminPERFMON STATS: Current AverageXlates 0/s 0/sConnections 0/s 0/sTCP Conns 0/s 0/sUDP Conns 0/s 0/sURL Access 0/s 0/sURL Server Req 0/s 0/sWebSns Req 0/s 0/sTCP Fixup 0/s 0/sHTTP Fixup 0/s 0/sFTP Fixup 0/s 0/sAAA Authen 0/s 0/sAAA Author 0/s 0/sAAA Account 0/s 0/sTCP Intercept 322779/s 322779/sThe following is sample output from the show resource usage detail command that shows the amount of resources being used by TCP Intercept for individual contexts. (Sample text in italics shows the TCP intercept information.)
hostname(config)# show resource usage detailResource Current Peak Limit Denied Contextmemory 843732 847288 unlimited 0 adminchunk:channels 14 15 unlimited 0 adminchunk:fixup 15 15 unlimited 0 adminchunk:hole 1 1 unlimited 0 adminchunk:ip-users 10 10 unlimited 0 adminchunk:list-elem 21 21 unlimited 0 adminchunk:list-hdr 3 4 unlimited 0 adminchunk:route 2 2 unlimited 0 adminchunk:static 1 1 unlimited 0 admintcp-intercept-rate 328787 803610 unlimited 0 adminnp-statics 3 3 unlimited 0 adminstatics 1 1 unlimited 0 adminace-rules 1 1 N/A 0 adminconsole-access-rul 2 2 N/A 0 adminfixup-rules 14 15 N/A 0 adminmemory 959872 960000 unlimited 0 c1chunk:channels 15 16 unlimited 0 c1chunk:dbgtrace 1 1 unlimited 0 c1chunk:fixup 15 15 unlimited 0 c1chunk:global 1 1 unlimited 0 c1chunk:hole 2 2 unlimited 0 c1chunk:ip-users 10 10 unlimited 0 c1chunk:udp-ctrl-blk 1 1 unlimited 0 c1chunk:list-elem 24 24 unlimited 0 c1chunk:list-hdr 5 6 unlimited 0 c1chunk:nat 1 1 unlimited 0 c1chunk:route 2 2 unlimited 0 c1chunk:static 1 1 unlimited 0 c1tcp-intercept-rate 16056 16254 unlimited 0 c1globals 1 1 unlimited 0 c1np-statics 3 3 unlimited 0 c1statics 1 1 unlimited 0 c1nats 1 1 unlimited 0 c1ace-rules 2 2 N/A 0 c1console-access-rul 2 2 N/A 0 c1fixup-rules 14 15 N/A 0 c1memory 232695716 232020648 unlimited 0 systemchunk:channels 17 20 unlimited 0 systemchunk:dbgtrace 3 3 unlimited 0 systemchunk:fixup 15 15 unlimited 0 systemchunk:ip-users 4 4 unlimited 0 systemchunk:list-elem 1014 1014 unlimited 0 systemchunk:list-hdr 1 1 unlimited 0 systemchunk:route 1 1 unlimited 0 systemblock:16384 510 885 unlimited 0 systemblock:2048 32 34 unlimited 0 systemThe following sample output from the show resource usage summary detail command shows the resources being used by TCP intercept for the entire system. (Sample text in italics shows the TCP intercept information.)
hostname(config)# show resource usage summary detailResource Current Peak Limit Denied Contextmemory 238421312 238434336 unlimited 0 Summarychunk:channels 46 48 unlimited 0 Summarychunk:dbgtrace 4 4 unlimited 0 Summarychunk:fixup 45 45 unlimited 0 Summarychunk:global 1 1 unlimited 0 Summarychunk:hole 3 3 unlimited 0 Summarychunk:ip-users 24 24 unlimited 0 Summarychunk:udp-ctrl-blk 1 1 unlimited 0 Summarychunk:list-elem 1059 1059 unlimited 0 Summarychunk:list-hdr 10 11 unlimited 0 Summarychunk:nat 1 1 unlimited 0 Summarychunk:route 5 5 unlimited 0 Summarychunk:static 2 2 unlimited 0 Summaryblock:16384 510 885 8192(S) 0 Summaryblock:2048 32 35 1000(S) 0 Summarytcp-intercept-rate 341306 811579 unlimited 0 Summaryglobals 1 1 1051(S) 0 Summarynp-statics 6 6 4096(S) 0 Summarystatics 2 2 2048(S) 0 Summarynats 1 1 2048(S) 0 Summaryace-rules 3 3 116448(S) 0 Summaryconsole-access-rul 4 4 4356(S) 0 Summaryfixup-rules 43 44 8032(S) 0 SummaryS = System: Total exceeds the system limit; the system limit is shown
