R211x-HP Flexfabric 11900 Layer 3 - IP Services Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP FlexFabric 11000 Switch Products

121

122

123

124

125

126

127

128

129

130

118

32000, and 65535 bytes. Because the minimum TCP MSS specified by the system is 32 bytes, the actual

minimum MTU is 72 bytes.

After you enable TCP path MTU discovery, all new TCP connections will detect the path MTU. The device

uses the path MTU to calculate the MSS to avoid IP fragmentation.

The path MTU uses the following aging mechanism to make sure that the source device can increase the

path MTU when the minimum link MTU on the path increases.

• When the TCP source device receives an ICMP error message, it reduces the path MTU and starts

an age timer for the path MTU.

• After the age timer expires, the source device uses a larger MSS in the MTU table as described in

RFC 1191.

• If no ICMP error message is received within two minutes, the source device increases the MSS again

until the MSS is as large as the MSS negotiated during TCP three-way handshake.

To enable TCP path MTU discovery:

Step Command Remarks

1. Enter system view.

system-view N/A

2. Enable TCP path MTU

discovery.

tcp path-mtu-discovery [ aging age-time |

no-aging ]

The default setting is

disabled.

Enabling TCP SYN Cookie

A TCP connection is established through a three-way handshake:

1. The sender sends a SYN packet to the server.

2. The server receives the SYN packet, establishes a TCP semi-connection in SYN_RECEIVED state,

and replies with a SYN ACK packet to the sender.

3. The sender receives the SYN ACK packet and replies with an ACK packet. A TCP connection is

established.

An attacker can exploit this mechanism to mount SYN Flood attacks. The attacker sends a large number

of SYN packets, but does not respond to the SYN ACK packets from the server. As a result, the server

establishes a large number of TCP semi-connections and can no longer handle normal services.

SYN Cookie can protect the server from SYN Flood attacks. When the server receives a SYN packet, it

responds with a SYN ACK packet without establishing a TCP semi-connection. The server establishes a

TCP connection and enters ESTABLISHED state only when it receives an ACK packet from the client.

To enable TCP SYN Cookie:

Step Command Remarks

1. Enter system view.

system-view

N/A

2. Enable SYN Cookie.

tcp syn-cookie enable The default setting is disabled.