Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Understanding Non-Policy-Based Drops

    The IDP Series device inspects traffic that traverses it and takes action according to:

    • Implicit rules
    • Protocol anomaly threshold settings
    • Security policy rules

    Table 1 summarizes implicit rules that drop traffic. The related topics listed provide information about protocol anomaly threshold settings and IDP security policy rules.

    Table 1: Non-Policy-Based Drops

    Implicit Rule

    Description

    Layer 2 traffic (when bypass not enabled)

    Enabled: Dropped by default. Configurable in ACM.

    When the IDP Series device is turned on and is operating normally, the traffic interfaces process TCP/IP traffic according to implicit traffic anomaly rules and explicit security policy rules. For Layer 2 connections, the interfaces process traffic, drop it, or pass it through (uninspected), according to the following rules:

    • The interfaces process Address Resolution Protocol (ARP) and Internet Protocol (IPv4) traffic for inspection and process according to implicit and explicit rules.
    • By default, the interfaces drop all other Layer 2 traffic.

    When Layer 2 bypass is enabled, the IDP Series device passes through Layer 2 packets related to bypass and high availability deployments (such as heartbeats or Bridge Protocol Data Unit (BPDU) packets), and non-IPv4 packets and packets related to switching and routing protocols, such as IPv6, internetwork packet exchange (IPX), Cisco Discovery Protocol (CDP), and interior gateway routing protocol (IGRP), and so forth.

    Counter: If you do not enable Layer 2 bypass, you can use the following counters to observe Layer 2 drops:

    [root@defaulthost ~]# scio counter get kpp | grep sc_kpp_jpkt_free
    sc_kpp_jpkt_free                1374077
    
    [root@defaulthost ~]# scio counter get kpp | grep sc_kpp_other
    sc_kpp_other                    305
    

    Invalid IP header

    Enabled: By default.

    Counter:

    [root@defaulthost ~]# scio counter get kpp | grep sc_kpp_bad_ip_header
    sc_kpp_bad_ip_header            0 

    Event logs: None

    Debug logs: If debugging is enabled, debug logs are generated and saved to /var/idp/device/sysinfo/logs/.

    Invalid TCP header

    Enabled: By default.

    Counter:

    [root@defaulthost ~]# scio counter get reass | grep sc_reass_bad_tcp_header
    sc_reass_bad_tcp_header     0
    

    Event logs: Yes

    Debug logs: If debugging is enabled, debug logs are generated and saved to /var/idp/device/sysinfo/logs/.

    TCP checksum error

    Enabled: Logging for this event is disabled by default. Use the following command to enable logging for this event:

    [root@defaulthost ~]# scio const set sc_log_implicit_pkt_drop 1

    Counter:

    [root@defaulthost ~]# scio counter get reass | grep sc_reass_bad_tcp_csum
    sc_reass_bad_tcp_csum     0
    

    Event logs: If you enable logging, event logs are generated and sent to NSM and/or a syslog server.

    Debug logs: If debugging is enabled, debug logs are generated and saved to /var/idp/device/sysinfo/logs/.

    UDP checksum error

    Enabled: The counter for this event is disabled by default. Use the following command to enable it:

    [root@defaulthost ~]# scio const set sc_enable_udp_csum 1

    Counter:

    [root@defaulthost ~]# scio counter get flow | grep sc_flow_bad_udp_csum
    sc_flow_bad_udp_csum            0
    

    Event logs: If you enable logging, event logs are generated and sent to NSM and/or a syslog server.

    Debug logs: If debugging is enabled, debug logs are generated and saved to /var/idp/device/sysinfo/logs/.

    ICMP source quench

    Dropping ICMP source quench messages is disabled by default. Use the following command to enable it:

    [root@defaulthost ~]# scio const -s s0:flow set sc_icmp_drop_source_quench 1

    Event logs: Event logs are generated and sent to NSM or a syslog server.

    Debug logs: If debugging is enabled, debug logs are generated and saved to /var/idp/device/sysinfo/logs/.

    TTL error

    Enabled: By default.

    Counter:

    [root@defaulthost ~]# scio counter get kpp | grep sc_kpp_ttl_error
    sc_kpp_ttl_error                0
    

    Event logs: None

    Debug logs: If debugging is enabled, debug logs are generated and saved to /var/idp/device/sysinfo/logs/.

    Memory limit of busy packet list

    Enabled: By default.

    Counter:

    [root@defaulthost ~]# scio counter get kpp | grep sc_kpp_busy_drop
    sc_kpp_busy_drop                0
    

    Event logs: None

    Debug logs: None

    Dropped by reassembly module when per flow memory overflows

    Enabled: By default.

    Counter:

    [root@defaulthost ~]# scio counter get kpp | grep sc_kpp_fdrop
    sc_kpp_fdrop                0
    

    Event logs: None

    Debug logs: None

    Global reassembly memory overflow

    Enabled: By default.

    Counter:

    [root@defaulthost ~]# scio counter get reass | grep sc_reass_ovflw_drop
    sc_reass_ovflw_drop         0
    

    Event logs: None

    Debug logs: If debugging is enabled, debug logs are generated and saved to /var/idp/device/sysinfo/logs/.

    Transmit failure where packet has already been freed

    Enabled: By default.

    Counter:

    [root@defaulthost ~]# scio counter get kpp | sc_kpp_transmit_error
    sc_kpp_transmit_error                0
    

    Event logs: None

    Debug logs: None

    Published: 2011-04-26