bbanis2k
asked on
Cisco Routers & Cisco Express Forwarding
I was reading a book and the author stated that you could use CEF as a way to prevent SYN flood attacks on your network perimeter. I'm just wondering how useful this would actually be and what other functions it can peform?
It's easily enabled on my 2600 via config mode w/ the command IP CEF
Is that all that is required and is there any caveats for this change?
Thx
BBanis2k
It's easily enabled on my 2600 via config mode w/ the command IP CEF
Is that all that is required and is there any caveats for this change?
Thx
BBanis2k
ASKER
Interesting.
Yeah, I always block private IP address ranges that aren't in use.
So CEF essentially caches the route and saves CPU cycles? What if a route changes and CEF has the old route? Is it fairly dynamic and will it allow streamlined inter-operability with BGP and OSPF?
Thx
B...
Yeah, I always block private IP address ranges that aren't in use.
So CEF essentially caches the route and saves CPU cycles? What if a route changes and CEF has the old route? Is it fairly dynamic and will it allow streamlined inter-operability with BGP and OSPF?
Thx
B...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Very good
Thanks for you time...
Thanks for you time...
cef is basically used to take the load of the CPU. destinations have already been cached, so it takes the load off because of this.
I normally use ACLs to prevent SYN flood attacks, coupled with cef.
Private addresses and physical loopbacks should be denied coming in on that interface.
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 172.16.0.0 0.0.255.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip host 127.0.0.1 any
I just wanted to make you aware about how many people prevent from SYN attacks in the field. It is usually a combination of cef and ACLs