Step 1 |
enable
Example:
|
Enables privileged EXEC mode.
|
Step 2 | configure terminal
Example:
Device# configure terminal
|
Enters global configuration mode.
|
Step 3 | ip vrf
vrf-name
Example:
Device(config)# ip vrf ddos-vrf1
|
Defines a VRF instance and enters VRF configuration mode.
|
Step 4 | rd
route-distinguisher
Example:
Device(config-vrf)# rd 100:2
|
Specifies a route distinguisher (RD) for a VRF instance.
|
Step 5 | route-target export
route-target-ext-community
Example:
Device(config-vrf)# route-target export 100:2
|
Creates a route-target extended community and exports the routing information to the target VPN extended community.
|
Step 6 | route-target import
route-target-ext-community
Example:
Device(config-vrf)# route-target import 100:2
|
Creates a route-target extended community and imports routing information from the target VPN extended community.
|
Step 7 | exit
Example:
|
Exits VRF configuration mode and enters global configuration mode.
|
Step 8 | parameter-map type inspect-vrf
vrf-pmap-name
Example:
Device(config)# parameter-map type inspect-vrf vrf1-pmap
|
Configures an inspect VRF-type parameter map and enters parameter-map type inspect configuration mode.
|
Step 9 | max-incomplete
number
aggressive-aging
high
{value
low
value
|
percent
percent
low percent
percent}
Example:
Device(config-profile)# max-incomplete 2000 aggressive-aging high 1500 low 1200
|
Configures the maximum limit and the aggressive aging limit for half-opened sessions.
|
Step 10 | session total
number
[aggressive-aging
{high
value
low
value
|
percent
percent
low percent
percent}]
Example:
Device(config-profile)# session total 1000 aggressive-aging high percent 80 low percent 60
|
Configures the total session limit and the aggressive aging limit for the total sessions.
|
Step 11 | alert on
Example:
Device(config-profile)# alert on
|
Enables the console display of stateful packet inspection alert messages.
|
Step 12 | exit
Example:
Device(config-profile)# exit
|
Exits parameter-map type inspect configuration mode and enters global configuration mode.
|
Step 13 | Enter one of the following commands:
- parameter-map type inspect-global
- parameter-map type inspect global
Example:
Device(config)# parameter-map type inspect-global
Device(config)# parameter-map type inspect global
|
Configures a global parameter map and enters parameter-map type inspect configuration mode.
Based on your release, the
parameter-map type inspect-global
and the
parameter-map type inspect global
commands are supported. You cannot configure both these commands together.
-
Skip Step 14 if you configure the
parameter-map type inspect-global
command.
Note
| If you configure the
parameter-map type inspect-global
command,
per-box
configurations are not supported because, by default, all
per-box
configurations apply to all firewall sessions.
|
|
Step 14 | vrf
vrf-name
inspect
vrf-pmap-name
Example:
Device(config-profile)# vrf vrf1 inspect vrf1-pmap
|
Binds a VRF with a parameter map.
|
Step 15 | exit
Example:
Device(config-profile)# exit
|
Exits parameter-map type inspect configuration mode and enters global configuration mode.
|
Step 16 | parameter-map type inspect
parameter-map-name
Example:
Device(config)# parameter-map type inspect pmap1
|
Configures an inspect-type parameter map for connecting thresholds, timeouts, and other parameters pertaining to the
inspect action and enters parameter-map type inspect configuration mode.
|
Step 17 | tcp idle-time
seconds
[ageout-time
seconds]
Example:
Device(config-profile)# tcp idle-time 3000 ageout-time 100
|
Configures the timeout for idle TCP sessions and the aggressive aging-out time for TCP sessions.
|
Step 18 | tcp synwait-time
seconds
[ageout-time
seconds]
Example:
Device(config-profile)# tcp synwait-time 30 ageout-time 10
|
Specifies how long the software will wait for a TCP session to reach the established state before dropping the session.
When aggressive aging is enabled, the SYN wait timer of the oldest TCP connections are reset from the default to the configured ageout time. In this example, instead of waiting for 30 seconds for connections to timeout, the timeout of the oldest TCP connections are set to 10 seconds. Aggressive aging is disabled when the connections drop below the low watermark.
|
Step 19 | exit
Example:
Device(config-profile)# exit
|
Exits parameter-map type inspect configuration mode and enters global configuration mode.
|
Step 20 | policy-map type inspect
policy-map-name
Example:
Device(config)# policy-map type inspect ddos-fw
|
Creates a protocol-specific inspect type policy map and enters QoS policy-map configuration mode.
|
Step 21 | class type inspect match-any
class-map-name
Example:
Device(config-pmap)# class type inspect match-any ddos-class
|
Specifies the traffic (class) on which an action is to be performed and enters QoS policy-map class configuration mode.
|
Step 22 | inspect
parameter-map-name
Example:
Device(config-pmap-c)# inspect pmap1
|
Enables stateful packet inspection for the parameter map.
|
Step 23 | end
Example:
Device(config-pmap-c)# end
|
Exits QoS policy-map class configuration mode and enters privileged EXEC mode.
|
Step 24 | show policy-firewall stats vrf
vrf-pmap-name
Example:
Device# show policy-firewall stats vrf vrf1-pmap
|
Displays VRF-level policy firewall statistics.
|