Chapter 21
Configuring Advanced Connection Features
Configuring the Fragment Size
By default, the FWSM allows up to 24 fragments per IP packet, and up to 200 fragments awaiting
reassembly. You might need to let fragments on your network if you have an application that routinely
fragments packets, such as NFS over UDP. However, if you do not have an application that fragments
traffic, we recommend that you do not allow fragments through the FWSM. Fragmented packets are
often used as DoS attacks. To set disallow fragments, enter the following command:
hostname(config)# fragment chain 1 [interface_name]
Enter an interface name if you want to prevent fragmentation on a specific interface. By default, this
command applies to all interfaces.
Blocking Unwanted Connections
If you know that a host is attempting to attack your network (for example, system log messages show an
attack), then you can block (or shun) connections based on the source IP address and other identifying
parameters. No new connections can be made until you remove the shun.
If you have an IPS that monitors traffic, then the IPS can shun connections automatically.
Note
To shun a connection manually, perform the following steps:
Step 1
If necessary, view information about the connection by entering the following command:
hostname# show conn
The FWSM shows information about each connection, such as the following:
TCP out 64.101.68.161:4300 in 10.86.194.60:23 idle 0:00:00 bytes 1297 flags UIO
To shun connections from the source IP address, enter the following command:
Step 2
hostname(config)# shun src_ip [dst_ip src_port dest_port [protocol]] [vlan vlan_id]
This command drops an existing connection, as well as blocking future connections. By default, the
protocol is 0 for IP.
For multiple context mode, you can enter this command in the admin context, and by specifying a
VLAN ID that is assigned to an interface in other contexts, you can shun the connection in other
contexts.
Step 3
To remove the shun, enter the following command:
hostname(config)# no shun src_ip [vlan vlan_id]
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
Configuring the Fragment Size
21-15