Configuring syn-proxy, Enabling syn-proxy – Brocade Communications Systems ServerIron ADX 12.4.00a User Manual
Page 128
114
ServerIron ADX Security Guide
53-1002440-03
Configuring Syn-Proxy
5
If you want your ServerIron ADX to behave more like a JetCore-based ServerIron device, you can use
any of the following three workarounds:
1. Enable syn-proxy on the server interface
2. Enable ip nat
3. Enable "server security-on-vip-only".
Configuring Syn-Proxy
This section contains the following sections:
•
•
“Setting Attack-Rate-Threshold”
•
•
“Setting Reset-Using-Client-MAC”
•
NOTE
Syn-Proxy is not supported for IPv6 for releases earlier than 12.2.0.
NOTE
In a syn-proxy configuration for a local client, if an ARP entry for the client is not stored, the first TCP
connection may need to retransmit none-syn packets since it may get dropped until the ServerIron
ADX stores an ARP entry for the client. There will only be a performance impact for the very first
connection.
NOTE
If you use log action inside access-list deny rules, then you cannot combine such an ACL with
hardware-based syn-proxy on the same interface. To do so, you can either remove log action or
disable hardware syn-proxy using the server disable-hw-syn-cookie command. Remember that if you
disable hardware syn-proxy, you will harm syn-proxy performance.
NOTE
DSR is not supported with SYN-proxy and is supported with SYN-def.
Enabling SYN-Proxy
To activate Syn-Proxy, follow these steps:
1. Globally enable Syn-Proxy, using the following command:
ServerIronADX(config)# ip tcp syn-proxy
Syntax: ip tcp syn-proxy
NOTE
The ip tcp syn-proxy command must be executed at the global configuration level. If it is
executed at the interface configuration level it will not take effect.
2. Configure a port and enter the interface configuration mode, using the following commands: