I've got an extremely stupid question - is there an IOS feature which I could use to limit the number of simultaneous established TCP sessions towards a single host? Sounds like stateful inspection but haven't seen such a thing there. TCP Intercept can't work here as it monitors half-open connections and the number of SYN packets received in the last minute. I ran out of ideas, can you help?
On the router I am not sure if there is an option to specify the amount of established connection per host but I was able to find a command for the IOS firewall feature set that allows certain amount of half open connections per host.
Specifies the maximum number of simultaneous TCP and UDP connections for the entire subnet. The default is 0, which means unlimited connections. (Idle connections are closed after the idle timeout specified by the timeout conn command.)
The first thing you pointed is CBAC which implements TCP Intercept which monitors only half-open connections. I know about the ASA solution but only have a 1812 router in customer premises so I'm trying to solve this with IOS. Now something else came to my mind - SLB provides a feature limiting the number of active connections:
Router(config-slb-real)# maxconns maximum-number
Specifies the maximum number of active connections allowed on the real server at one time.
The only problem is that SLB is not available for 1812:) Looking for other options now...
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :