Configuring Interface Normalization Parameters
Configuring SYN Cookie DoS Protection on an Interface
Configuring How the ACE Handles the Don't Fragment Bit
Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide
4-38
Chapter 4
If you are configuring the SYN cookie feature on a bridged VLAN with
•
non-loadbalanced flows, you must configure static routes for
non-loadbalanced destinations that do not reside in the same subnet as the
bridge-group virtual interface (BVI).
For example, assuming the following configuration:
BVI IP address is 192.168.1.1
–
Gateway1 IP address 192.168.1.2 to reach external network 172.16.1.0
–
Gateway2 IP address 192.168.1.3 to reach external network 172.31.1.0
–
Configure the following static routes:
ip route 172.16.1.0 255.255.255.0 192.168.1.2
–
–
ip route 172.31.1.0 255.255.255.0 192.168.1.3
To configure SYN-cookie-based DoS protection, use the syn-cookie command in
interface configuration mode. The syntax of this command is as follows:
syn-cookie number
The number is the embryonic connection threshold above which the ACE applies
SYN-cookie DoS protection. Enter an integer from 1 to 65535.
For example, to configure SYN-cookie DoS protection for servers in a data center
connected to VLAN 100, enter:
host1/C1(config)# interface vlan 100
host1/C1(config-if)# syn-cookie 4096
To remove SYN-cookie DoS protection from the interface, enter:
host1/C1(config-if)# no syn-cookie
Occasionally, an ACE may receive a packet that has its Don't Fragment (DF) bit
set in the IP header. This flag tells network routers and the ACE not to fragment
the packet and to forward it in its entirety. To configure how the ACE handles the
DF bit, use the ip df command in interface configuration mode. The syntax of this
command is as follows:
Configuring TCP/IP Normalization and IP Reassembly Parameters
OL-16202-01