Example Of A Tcp/Ip Normalization And Ip Reassembly Configuration - Cisco 4700M Configuration Manual

Example of a TCP/IP Normalization and IP Reassembly Configuration

Example of a TCP/IP Normalization and IP
Reassembly Configuration
Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide
4-46
Chapter 4
For example, enter:
host1/C1(config-if)# fragment timeout 15
To reset the fragment timeout to the default value of 5 seconds, enter:
host1/C1(config-if)# no fragment timeout
The following example illustrates a running-configuration in which the ACE uses
TCP normalization to perform checks for Layer 4 packets that have invalid or
suspect conditions and to take the appropriate actions based on the configured
TCP connection parameter map settings. The ACE uses TCP normalization to
block certain types of network attacks. This configuration also includes IP
fragment reassembly parameters. The TCP/IP normalization and IP fragment
reassembly configuration appears in bold in the example.
In the following configuration, the ACE does the following:
Includes a connection parameter map that groups together TCP/IP
•
normalization and termination parameters, such as a connection inactivity
timer, ToS for an IP packet, and discarding the SYN segments that contain
data. The connection parameter map is associated as an action in the TCP/IP
policy map.
Configures additional IP normalization parameters for a specific VLAN
•
interface, such as clearing all IP options from the packet, define the number
of hops that a packet is allowed to reach its destination, and permit the packet
with the DF bit set.
Configures IP fragment reassembly parameters for a specific VLAN
•
interface, such as the minimum fragment size that the ACE accepts for
reassembly, the maximum number of fragments that belong to the same
packet that the ACE accepts for reassembly, and the minimum fragment size
that the ACE accepts for reassembly.
Configuring TCP/IP Normalization and IP Reassembly Parameters
OL-16202-01