Cisco Cisco IOS Software Release 12.2(18)SXF
Features
17
Cisco IOS Release 12.2(18)SXF
•
To protect against attackers trying to direct flows to real or nonexistent IP addresses in the firewall
subnet, configure the firewalls in a private network.
subnet, configure the firewalls in a private network.
•
Configure firewalls to deny all unexpected flows targeted at the firewalls, especially flows
originating from the external network.
originating from the external network.
Slow Start
In an environment that uses weighted least connections load balancing, a real server that is placed in
service initially has no connections, and could therefore be assigned so many new connections that it
becomes overloaded. To prevent such an overload, slow start controls the number of new connections
that are directed to a real server that has just been placed in service.
service initially has no connections, and could therefore be assigned so many new connections that it
becomes overloaded. To prevent such an overload, slow start controls the number of new connections
that are directed to a real server that has just been placed in service.
GPRS load balancing and the Home Agent Director do not support slow start.
SynGuard
SynGuard limits the rate of TCP start-of-connection packets (SYNchronize sequence numbers, or SYNs)
handled by a virtual server to prevent a type of network problem known as a SYN flood denial-of-service
attack. A user might send a large number of SYNs to a server, which could overwhelm or crash the
server, denying service to other users. SynGuard prevents such an attack from bringing down IOS SLB
or a real server. SynGuard monitors the number of SYNs handled by a virtual server at specific intervals
and does not allow the number to exceed a configured SYN threshold. If the threshold is reached, any
new SYNs are dropped.
handled by a virtual server to prevent a type of network problem known as a SYN flood denial-of-service
attack. A user might send a large number of SYNs to a server, which could overwhelm or crash the
server, denying service to other users. SynGuard prevents such an attack from bringing down IOS SLB
or a real server. SynGuard monitors the number of SYNs handled by a virtual server at specific intervals
and does not allow the number to exceed a configured SYN threshold. If the threshold is reached, any
new SYNs are dropped.
IOS SLB firewall load balancing and the Home Agent Director do not support SynGuard.
Server Failure Detection and Recovery Features
IOS SLB provides the following server failure detection and recovery features:
•
•
•
•
•
•
•
Automatic Server Failure Detection
IOS SLB automatically detects each failed Transmission Control Protocol (TCP) connection attempt to
a real server, and increments a failure counter for that server. (The failure counter is not incremented if
a failed TCP connection from the same client has already been counted.) If a server’s failure counter
exceeds a configurable failure threshold, the server is considered out of service and is removed from the
list of active real servers.
a real server, and increments a failure counter for that server. (The failure counter is not incremented if
a failed TCP connection from the same client has already been counted.) If a server’s failure counter
exceeds a configurable failure threshold, the server is considered out of service and is removed from the
list of active real servers.
For RADIUS load balancing, the IOS SLB performs automatic server failure detection when a RADIUS
request is not answered by the real server.
request is not answered by the real server.