Home » HP Manuals » Servers » HP 6125XLG » Manual Viewer

HP 6125XLG R2306-HP 6125XLG Blade Switch Layer 3 - IP Services Command Referen - Page 152

tcp syn-cookie enable, Parameters, Usage guidelines, Examples, Syntax, Default, Views

Add to My Manuals
Save this manual to your list of manuals

Page 152 highlights

Parameters aging age-time: Sets the aging time for the path MTU, in the range of 10 to 30 minutes. The default aging time is 10 minutes. no-aging: Does not age out the path MTU. Usage guidelines After you enable TCP path MTU discovery, all new TCP connections detect the path MTU. The device uses the path MTU to calculate the MSS to avoid IP fragmentation. After you disable TCP path MTU discovery, the system stops all path MTU timers. The TCP connections established later do not detect the path MTU, but the TCP connections previously established still can detect the path MTU. Examples # Enable TCP path MTU discovery and set the path MTU aging time to 20 minutes. system-view [Sysname] tcp path-mtu-discovery aging 20 tcp syn-cookie enable Use tcp syn-cookie enable to enable SYN Cookie to protect the device from SYN flood attacks. Use undo tcp syn-cookie enable to disable SYN Cookie. Syntax tcp syn-cookie enable undo tcp syn-cookie enable Default SYN Cookie is disabled. Views System view Predefined user roles network-admin Usage guidelines A TCP connection is established through a three-way handshake: 1. The sender sends a SYN packet to the server. 2. The server receives the SYN packet, establishes a TCP semi-connection in SYN_RECEIVED state, and replies with a SYN ACK packet to the sender. 3. The sender receives the SYN ACK packet and replies with an ACK packet. Then, a TCP connection is established. An attacker can exploit this mechanism to mount SYN flood attacks. The attacker sends a large number of SYN packets, but they do not respond to the SYN ACK packets from the server. As a result, the server establishes a large number of TCP semi-connections and cannot handle normal services. SYN Cookie can protect the server from SYN flood attacks. When the server receives a SYN packet, it responds to the request with a SYN ACK packet without establishing a TCP semi-connection. 144

Section	Page
Title Page	1
Contents	3
ARP commands	9
arp check enable	9
arp max-learning-num	9
arp multiport	10
arp static	11
arp timer aging	12
display arp	13
display arp ip-address	15
display arp timer aging	16
display arp vpn-instance	16
mac-address mac-move fast-update	17
reset arp	17
Gratuitous ARP commands	19
arp send-gratuitous-arp	19
gratuitous-arp-learning enable	20
gratuitous-arp-sending enable	20
Proxy ARP commands	22
display local-proxy-arp	22
display proxy-arp	22
local-proxy-arp enable	23
proxy-arp enable	24
ARP snooping commands	26
arp snooping enable	26
display arp snooping	26
reset arp snooping	27
IP addressing commands	29
display ip interface	29
display ip interface brief	31
ip address	32
ip address unnumbered	34
DHCP commands	35
Common DHCP commands	35
dhcp enable	35
dhcp select	35
DHCP server commands	37
address range	37
bims-server	38
bootfile-name	38
class	39
dhcp class	40
dhcp server always-broadcast	41
dhcp server apply ip-pool	42
dhcp server bootp ignore	42
dhcp server bootp reply-rfc-1048	43
dhcp server forbidden-ip	44
dhcp server ip-pool	44
dhcp server ping packets	45
dhcp server ping timeout	46
dhcp server relay information enable	47
display dhcp server conflict	47
display dhcp server expired	48
display dhcp server free-ip	49
display dhcp server ip-in-use	50
display dhcp server pool	51
display dhcp server statistics	53
dns-list	55
domain-name	56
expired	56
forbidden-ip	57
gateway-list	58
if-match option	59
nbns-list	60
netbios-type	61
network	62
next-server	63
option	64
reset dhcp server conflict	65
reset dhcp server expired	66
reset dhcp server ip-in-use	66
reset dhcp server statistics	67
static-bind	67
tftp-server domain-name	68
tftp-server ip-address	69
voice-config	70
DHCP relay agent commands	71
dhcp relay check mac-address	71
dhcp relay client-information record	71
dhcp relay client-information refresh	72
dhcp relay client-information refresh enable	73
dhcp relay information circuit-id	74
dhcp relay information enable	75
dhcp relay information remote-id	76
dhcp relay information strategy	77
dhcp relay release ip	78
dhcp relay server-address	79
display dhcp relay client-information	79
display dhcp relay information	81
display dhcp relay server-address	82
display dhcp relay statistics	83
reset dhcp relay client-information	84
reset dhcp relay statistics	85
DHCP client commands	86
dhcp client dad enable	86
dhcp client identifier	86
display dhcp client	87
ip address dhcp-alloc	89
DHCP snooping commands	91
dhcp snooping binding database filename	91
dhcp snooping binding database update interval	91
dhcp snooping binding database update now	92
dhcp snooping binding record	93
dhcp snooping check mac-address	93
dhcp snooping check request-message	94
dhcp snooping enable	95
dhcp snooping information circuit-id	95
dhcp snooping information enable	97
dhcp snooping information remote-id	98
dhcp snooping information strategy	99
dhcp snooping rate-limit	99
dhcp snooping trust	100
display dhcp snooping binding	101
display dhcp snooping binding database	102
display dhcp snooping information	103
display dhcp snooping packet statistics	104
display dhcp snooping trust	104
reset dhcp snooping binding	105
reset dhcp snooping packet statistics	105
BOOTP client commands	107
display bootp client	107
ip address bootp-alloc	108
DNS commands	109
display dns domain	109
display dns host	110
display dns server	111
display ipv6 dns server	112
dns domain	113
dns proxy enable	114
dns server	114
dns source-interface	115
dns spoofing	116
dns trust-interface	117
ip host	117
ipv6 dns server	118
ipv6 dns spoofing	119
ipv6 host	120
reset dns host	121
DDNS commands	122
ddns apply policy	122
ddns policy	123
display ddns policy	123
interval	125
method	126
password	127
ssl client policy	127
url	128
username	130
Basic IP forwarding commands	132
display fib	132
IP performance optimization commands	134
display icmp statistics	134
display ip statistics	135
display rawip	136
display rawip verbose	137
display tcp	138
display tcp statistics	139
display tcp verbose	141
display udp	142
display udp statistics	143
display udp verbose	143
ip forward-broadcast	145
ip icmp fragment discarding	145
ip mtu	146
ip redirects enable	147
ip ttl-expires enable	148
ip unreachables enable	148
reset ip statistics	149
reset tcp statistics	150
reset udp statistics	150
tcp mss	150
tcp path-mtu-discovery	151
tcp syn-cookie enable	152
tcp timer fin-timeout	153
tcp timer syn-timeout	153
tcp window	154
UDP helper commands	155
display udp-helper interface	155
reset udp-helper statistics	155
udp-helper enable	156
udp-helper port	156
udp-helper server	157
IPv6 basics commands	159
display ipv6 fib	159
display ipv6 icmp statistics	160
display ipv6 interface	161
display ipv6 interface prefix	165
display ipv6 neighbors	166
display ipv6 neighbors count	168
display ipv6 neighbors vpn-instance	168
display ipv6 pathmtu	169
display ipv6 rawip	171
display ipv6 rawip verbose	171
display ipv6 statistics	173
display ipv6 tcp	175
display ipv6 tcp verbose	176
display ipv6 udp	179
display ipv6 udp verbose	179
ipv6 address	181
ipv6 address anycast	182
ipv6 address auto link-local	183
ipv6 address eui-64	184
ipv6 address link-local	185
ipv6 hop-limit	186
ipv6 hoplimit-expires enable	187
ipv6 icmpv6 multicast-echo-reply enable	187
ipv6 mtu	188
ipv6 nd autoconfig managed-address-flag	188
ipv6 nd autoconfig other-flag	189
ipv6 nd dad attempts	190
ipv6 nd ns retrans-timer	191
ipv6 nd nud reachable-time	191
ipv6 nd ra halt	192
ipv6 nd ra hop-limit unspecified	193
ipv6 nd ra interval	193
ipv6 nd ra no-advlinkmtu	194
ipv6 nd ra prefix	195
ipv6 nd ra router-lifetime	196
ipv6 nd router-preference	196
ipv6 neighbor	197
ipv6 neighbor link-local minimize	198
ipv6 neighbor stale-aging	199
ipv6 neighbors max-learning-num	200
ipv6 pathmtu	200
ipv6 pathmtu age	201
ipv6 redirects enable	202
ipv6 unreachables enable	203
reset ipv6 neighbors	203
reset ipv6 pathmtu	204
reset ipv6 statistics	205
DHCPv6 server commands	206
address range	206
display ipv6 dhcp duid	207
display ipv6 dhcp pool	207
display ipv6 dhcp prefix-pool	209
display ipv6 dhcp server	210
display ipv6 dhcp server conflict	211
display ipv6 dhcp server expired	212
display ipv6 dhcp server ip-in-use	213
display ipv6 dhcp server pd-in-use	215
display ipv6 dhcp server statistics	216
dns-server	218
domain-name	219
ipv6 dhcp pool	220
ipv6 dhcp prefix-pool	220
ipv6 dhcp select	221
ipv6 dhcp server	222
ipv6 dhcp server apply pool	223
ipv6 dhcp server forbidden-address	224
ipv6 dhcp server forbidden-prefix	225
network	226
option	227
prefix-pool	228
reset ipv6 dhcp server conflict	229
reset ipv6 dhcp server expired	229
reset ipv6 dhcp server ip-in-use	230
reset ipv6 dhcp server pd-in-use	231
reset ipv6 dhcp server statistics	231
sip-server	232
static-bind	232
temporary address range	234
Tunneling commands	236
default	236
description	236
destination	237
display interface tunnel	238
interface tunnel	241
mtu	242
reset counters interface	243
service	243
shutdown	244
source	245
tunnel bandwidth	246
tunnel dfbit enable	246
tunnel discard ipv4-compatible-packet	247
tunnel tos	248
tunnel ttl	248
GRE commands	250
keepalive	250
Support and other resources	251
Contacting HP	251
Subscription service	251
Related information	251
Documents	251
Websites	251
Conventions	252
Command conventions	252
GUI conventions	252
Symbols	252
Network topology icons	253
Port numbering in examples	253

Match case Limit results 1 per page

144

Parameters

aging

age-time

: Sets the aging time for the path MTU, in the range of 10 to 30

minutes. The default

aging time is 10 minutes.

no-aging

: Does not age out the path MTU.

Usage guidelines

After you enable TCP path MTU discovery, all new TCP connections detect the path MTU. The device uses

the path MTU to calculate the MSS to avoid IP fragmentation.

After you disable TCP path MTU discovery, the system stops all path MTU timers. The TCP connections

established later do not detect the path MTU, but the TCP connections previously established still can

detect the path MTU.

Examples

# Enable TCP path MTU discovery and set the path MTU aging time to 20 minutes.

<Sysname> system-view

[Sysname] tcp path-mtu-discovery aging 20

tcp syn-cookie enable

Use

tcp syn-cookie enable

to enable

SYN Cookie to protect the device from SYN flood attacks.

Use

undo tcp syn-cookie enable

to disable SYN Cookie.

Syntax

tcp syn-cookie enable

undo tcp syn-cookie enable

Default

SYN Cookie is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

A TCP connection is established through a three-way handshake:

The sender sends a SYN packet to the server.

The server receives the SYN packet, establishes a TCP semi-connection in SYN_RECEIVED state,

and replies with a SYN ACK packet to the sender.

The sender receives the SYN ACK packet and replies with an ACK packet. Then, a TCP connection

is established.

An attacker can exploit this mechanism to mount SYN flood attacks. The attacker sends a large number

of SYN packets, but they do not respond to the SYN ACK packets from the server. As a result, the server

establishes a large number of TCP semi-connections and cannot handle normal services.

SYN Cookie can protect the server from SYN flood attacks. When the server receives a SYN packet, it

responds to the request with a SYN ACK packet without establishing a TCP semi-connection.