R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution

371

372

373

374

375

376

377

378

379

380

361

Configuring early aging for sessions

A device that does not support attack detection or attack protection is vulnerable to attacks on session

resources. If session resources are used up, the device cannot support normal forwarding services, for

example, NAT processing. To prevent such attacks, you can configure early aging for sessions.

After you configure early aging for sessions:

• When the session ratio (the ratio of the number of established sessions to the session count

specification of the device) exceeds the upper threshold, the session aging time is shortened by a

specified time value. That is, sessions are aged out earlier.

• When the session ratio equals or drops below the lower threshold, the session aging time is restored

to the normal values configured by the application aging-time or session aging-time command.

To configure early aging for sessions:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Set the time value to shorten

the session aging time.

session early-ageout shorten-time

threshold-high

threshold-high-value threshold-low

threshold-low-value

By default, the session aging time

is not shortened.

Setting the maximum number of sessions

You can set the maximum number of sessions to limit the creation of sessions and reduce memory usage

by the session management module.

To set the maximum number of sessions:

Step Command Remarks

1. Enter system view.

system-view N/A

2. Set the maximum number of

sessions.

• In standalone mode:

session max-entries

max-entries slot slot-number

• In IRF mode:

session max-entries

max-entries chassis

chassis-number slot slot-number

The maximum number of sessions

depends on the device model, but

should not exceed the session

count specification of a device or a

card. For more information, see

product specifications.

Enabling checksum verification

To make sure session tracking is not affected by packets with checksum errors, you can enable checksum

verification for protocol packets. With checksum verification enabled, the session management feature

processes only packets with correct checksums, and packets with incorrect checksums will be processed

by other services based on the session management.

IMPORTANT:

Checksum verification might degrade the device performance. Enable it with caution.