Brocade Communications Systems 12.4.00a Manuel D’Utilisation
114
ServerIron ADX Security Guide
53-1002440-03
Configuring Syn-Proxy
5
If you want your ServerIron ADX to behave more like a JetCore-based ServerIron device, you can use
any of the following three workarounds:
any of the following three workarounds:
1. Enable syn-proxy on the server interface
2. Enable ip nat
3. Enable "server security-on-vip-only".
Configuring Syn-Proxy
This section contains the following sections:
•
•
•
•
•
NOTE
Syn-Proxy is not supported for IPv6 for releases earlier than 12.2.0.
NOTE
In a syn-proxy configuration for a local client, if an ARP entry for the client is not stored, the first TCP
connection may need to retransmit none-syn packets since it may get dropped until the ServerIron
ADX stores an ARP entry for the client. There will only be a performance impact for the very first
connection.
connection may need to retransmit none-syn packets since it may get dropped until the ServerIron
ADX stores an ARP entry for the client. There will only be a performance impact for the very first
connection.
NOTE
If you use log action inside access-list deny rules, then you cannot combine such an ACL with
hardware-based syn-proxy on the same interface. To do so, you can either remove log action or
disable hardware syn-proxy using the server disable-hw-syn-cookie command. Remember that if you
disable hardware syn-proxy, you will harm syn-proxy performance.
If you use log action inside access-list deny rules, then you cannot combine such an ACL with
hardware-based syn-proxy on the same interface. To do so, you can either remove log action or
disable hardware syn-proxy using the server disable-hw-syn-cookie command. Remember that if you
disable hardware syn-proxy, you will harm syn-proxy performance.
NOTE
DSR is not supported with SYN-proxy and is supported with SYN-def.
DSR is not supported with SYN-proxy and is supported with SYN-def.
Enabling SYN-Proxy
To activate Syn-Proxy, follow these steps:
1. Globally enable Syn-Proxy, using the following command:
ServerIronADX(config)# ip tcp syn-proxy
Syntax: ip tcp syn-proxy
NOTE
The ip tcp syn-proxy command must be executed at the global configuration level. If it is
executed at the interface configuration level it will not take effect.
executed at the interface configuration level it will not take effect.
2. Configure a port and enter the interface configuration mode, using the following commands: