Call Admission Control (CAC) for IKE
Call Admission Control (CAC) is a critical security and resource-protection feature in Cisco routers. It safeguards router resources and mitigates Denial-of-Service (DoS) attacks targeting the Internet Key Exchange (IKE) protocol by regulating session creation and negotiation.
CAC enforces limits on both established and in-progress IKE sessions, ensuring optimal performance and predictable behavior under load.
Core CAC Commands
Controls the total number of IKE Security Associations that can terminate on the router.
crypto call admission limit ike sa <number>
Defines the maximum number of simultaneous IKE negotiations allowed.
crypto call admission limit ike in-negotiation-sa <number>
- Prevent IKE resource exhaustion
- Limit exposure to DoS attacks
- Ensure fair and predictable session handling
Differences: Pre vs Post Cisco IOS 15.9(3)M10
Pre-15.9(3)M10
- Globally applied CAC limits
- No differentiation by VPN type or priority
Post-15.9(3)M10
- Per-policy and per-context CAC limits
- Independent control for site-to-site and remote-access VPNs
Pre-15.9(3)M10
- Limited visibility into CAC state
- Relied on debugging or external tools
Post-15.9(3)M10
- Real-time CAC statistics
- Threshold breach logging
Router# show crypto call admission statistics
IKE SA limit: 1000
IKE SA current: 742
In-negotiation limit: 50
In-negotiation current: 21
Status: NORMAL
Pre-15.9(3)M10
- Static, inflexible limits
- Potential inefficiencies during traffic spikes
Post-15.9(3)M10
- Dynamic reallocation based on demand
- Reduced session drops under load
Pre-15.9(3)M10
- Basic threshold-based protection
- Vulnerable to targeted negotiation floods
Post-15.9(3)M10
- Advanced traffic pattern detection
- Prioritization of legitimate IKE sessions
Post-15.9(3)M10 Configuration Example
! Global IKE limits crypto call admission limit ike sa 1000 crypto call admission limit ike in-negotiation-sa 50 ! Context-based limits crypto call admission policy context VPN_A limit ike sa 500 limit ike in-negotiation-sa 25 exit crypto call admission policy context VPN_B limit ike sa 300 limit ike in-negotiation-sa 15 exit
๐ก Key Takeaways
- CAC protects IKE from resource exhaustion and DoS attacks
- IOS 15.9(3)M10 introduces per-context granularity
- Enhanced visibility improves operational awareness
- Dynamic allocation reduces session failures
- Legitimate VPN traffic is prioritized during attacks
Conclusion
Cisco IOS 15.9(3)M10 significantly enhances Call Admission Control for IKE by introducing granularity, dynamic behavior, and improved observability. These improvements allow administrators to fine-tune VPN scalability, strengthen DoS resistance, and maintain consistent performance under stress.
Upgrading to 15.9(3)M10 or later is strongly recommended for environments with large-scale or security-sensitive IKE deployments.
