• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 237
  • Last Modified:

Cisco Routers & Cisco Express Forwarding

I was reading a book and the author stated that you could use CEF as a way to prevent SYN flood attacks on your network perimeter.  I'm just wondering how useful this would actually be and what other functions it can peform?

It's easily enabled on my 2600 via config mode w/ the command IP CEF

Is that all that is required and is there any caveats for this change?

Thx
BBanis2k
0
bbanis2k
Asked:
bbanis2k
  • 2
  • 2
1 Solution
 
neowolf219Commented:
Hi bbanis2k,


cef is basically used to take the load of the CPU.  destinations have already been cached, so it takes the load off because of this.

I normally use ACLs to prevent SYN flood attacks, coupled with cef.  

Private addresses and physical loopbacks should be denied coming in on that interface.

access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 172.16.0.0 0.0.255.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip host 127.0.0.1 any

I just wanted to make you aware about how many people prevent from SYN attacks in the field.  It is usually a combination of cef and ACLs


0
 
bbanis2kAuthor Commented:
Interesting.

Yeah, I always block private IP address ranges that aren't in use.

So CEF essentially caches the route and saves CPU cycles?  What if a route changes and CEF has the old route?  Is it fairly dynamic and will it allow streamlined inter-operability with BGP and OSPF?

Thx
B...
0
 
neowolf219Commented:
Your correct.  cef is dynamic.  I've seen this run on your higher end switches with BGP going outside and OSPF running on your LAN.  

Keep in mind that route-cache is disabled on your interfaces, so you will have to enable these on your interfaces

ip route-cache cef

Do this even if you have entered the ip cef global configuration command.
0
 
bbanis2kAuthor Commented:
Very good

Thanks for you time...
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now