Cisco 7604 Configuration Guide - Page 404
Permitting or Denying Application Types with PISA Integration
View all Cisco 7604 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 404 highlights
Permitting or Denying Application Types with PISA Integration Chapter 21 Configuring Advanced Connection Features where policy_map_name is the policy map you configured in Step 2. To apply the policy map to traffic on all the interfaces, use the global keyword. To apply the policy map to traffic on a specific interface, use the interface interface_name option, where interface_name is the name assigned to the interface with the nameif command. Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. The following example sets the maximum TCP and UDP connections to 5000, the maximum connections per second to 500, and sets the maximum embryonic timeout to 40 seconds, the half-closed timeout to 20 minutes, and the idle timeout to 2 hours for traffic going to 10.1.1.1: hostname(config)# access-list CONNS permit ip any host 10.1.1.1 hostname(config)# class-map conns hostname(config-cmap)# match access-list CONNS hostname(config-cmap)# policy-map conns hostname(config-pmap)# class conns hostname(config-pmap-c)# set connection conn-max 5000 conn-rate-limit 500 hostname(config-pmap-c)# set connection timeout embryonic 0:0:40 half-closed 0:20:0 hostname(config-pmap-c)# set connection timeout idle 2:0:0 hostname(config-pmap-c)# service-policy conns interface outside You can enter set connection commands with multiple parameters or you can enter each parameter as a separate command. The FWSM combines the commands into one line in the running configuration. For example, if you entered the following two commands in class configuration mode: hostname(config-pmap-c)# set connection timeout embryonic 0:0:40 hostname(config-pmap-c)# set connection timeout half-closed 0:20:0 the output of the show running-config policy-map command would display the result of the two commands in a single, combined command: set connection timeout embryonic 0:0:40 half-closed 0:20:0 Permitting or Denying Application Types with PISA Integration Note This feature depends on Cisco IOS Release 12.2(18)ZYA or later, and is only available on the Catalyst 6500 switch. The Programmable Intelligent Services Accelerator (PISA) on the switch supervisor can quickly determine the application type of a given flow by performing deep packet inspection. This determination can be made even if the traffic is not using standard ports. The FWSM can leverage the high-performance deep packet inspection of the PISA card so that it can permit or deny traffic based on the application type. Unlike the FWSM inspection feature, which passes through the control plane path, traffic that the PISA tags can pass through the FWSM accelerated path. Another benefit of FWSM and PISA integration is to consolidate your security configuration on a single FWSM instead of having to configure multiple upstream switches with PISAs installed. 21-4 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01