?
Solved

Cisco Routers & Cisco Express Forwarding

Posted on 2005-03-08
4
Medium Priority
?
236 Views
Last Modified: 2010-04-17
I was reading a book and the author stated that you could use CEF as a way to prevent SYN flood attacks on your network perimeter.  I'm just wondering how useful this would actually be and what other functions it can peform?

It's easily enabled on my 2600 via config mode w/ the command IP CEF

Is that all that is required and is there any caveats for this change?

Thx
BBanis2k
0
Comment
Question by:bbanis2k
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 3

Expert Comment

by:neowolf219
ID: 13490874
Hi bbanis2k,


cef is basically used to take the load of the CPU.  destinations have already been cached, so it takes the load off because of this.

I normally use ACLs to prevent SYN flood attacks, coupled with cef.  

Private addresses and physical loopbacks should be denied coming in on that interface.

access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 172.16.0.0 0.0.255.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip host 127.0.0.1 any

I just wanted to make you aware about how many people prevent from SYN attacks in the field.  It is usually a combination of cef and ACLs


0
 

Author Comment

by:bbanis2k
ID: 13491576
Interesting.

Yeah, I always block private IP address ranges that aren't in use.

So CEF essentially caches the route and saves CPU cycles?  What if a route changes and CEF has the old route?  Is it fairly dynamic and will it allow streamlined inter-operability with BGP and OSPF?

Thx
B...
0
 
LVL 3

Accepted Solution

by:
neowolf219 earned 2000 total points
ID: 13491787
Your correct.  cef is dynamic.  I've seen this run on your higher end switches with BGP going outside and OSPF running on your LAN.  

Keep in mind that route-cache is disabled on your interfaces, so you will have to enable these on your interfaces

ip route-cache cef

Do this even if you have entered the ip cef global configuration command.
0
 

Author Comment

by:bbanis2k
ID: 13491809
Very good

Thanks for you time...
0

Featured Post

Supports up to 4K resolution!

The VS192 2-Port 4K DisplayPort Splitter is perfect for anyone who needs to send one source of DisplayPort high definition video to two or four DisplayPort displays. The VS192 can split and also expand DisplayPort audio/video signal on two or four DisplayPort monitors.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question