Cisco WS-C6506 Software Manual page 411

Chapter 15 Configuring Access Control
Configuring Rate Limiting for Cisco IOS ACL Logging
To configure rate limiting for Cisco IOS ACL logging, perform this task in privileged mode:
Task
Step 1 Enable the ACL logging and specify a rate for Cisco
IOS ACL logging rate limiting.
Step 2 Show the ACL logging status.
This example shows how to enable the ACL logging and specify a rate of 500 for Cisco IOS ACL logging
rate limiting:
Console> (enable) set acllog ratelimit 500
If the ACLs-LOG were already applied, the rate limit mechanism will be effective on system
restart, or after shut/no shut the interface.
Console> (enable)
Console> (enable) show acllog
ACL log rate limit enabled, rate = 500 pps.
Console> (enable)
This example shows how to clear (disable) ACL logging. After clearing ACL logging, the bridge action
remains unchanged; the system behavior is the same as before the set acllog ratelimit command was
issued.
Console> (enable) clear acllog
ACL log rate limit is cleared.
If the ACLs-LOG were already applied, the rate limit mechanism will be disabled on system
restart, or after shut/no shut the interface.
Console> (enable)
Reflexive ACLs
The ICMP packets are handled in the software. For the TCP/UDP flows, once the flow is established,
they are handled in the hardware. When the reflexive ACLs are applied, the flow mask is changed to
VLAN-full flow.
TCP Intercept
TCP intercept is not supported with Supervisor Engine 720 (PFC3A/PFC3B/PFC3BXL) or Supervisor
Note
Engine 32 (PFC3B/PFC3BXL).
TCP intercept implements the software to protect the TCP servers from the TCP SYN-flooding attacks,
which are denial-of-service attacks. TCP intercept helps prevent the SYN-flooding attacks by
intercepting and validating the TCP connection requests. In intercept mode, the TCP intercept software
intercepts the TCP synchronization (SYN) packets from the clients to the servers that match an extended
access list. The software establishes a connection with the client on behalf of the destination server, and
if successful, establishes the connection with the server on behalf of the client and binds the two
half-connections together transparently. This process ensures that the connection attempts from the
unreachable hosts never reach the server. The software continues to intercept and forward the packets
throughout the duration of the connection.
OL-8978-04
Command
set acllog ratelimit rate
show acllog
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
Using Cisco IOS ACLs in your Network
15-15