TCP Intercept for DoS Attack Prevention (CCIE Notes)

TCP Intercept

  • It protects a TCP server from TCP SYN-flooding attacks (DoS) attacks.
  • It intercepts and validates TCP connection requests.
  • Establishes connection with the client on behalf of the destination server, and if successful, establishes a connection with the server on behalf of the client and knits the two half connections transparently.
  • Either all requests can be intercepted or those coming from specific networks or destined for specific servers.

Modes of Operation:

Intercept Mode

  • This is the default mode.
  • Performs a three-way handshake with the client, if successful, sends the original SYN packet to the destination server and performs a three-way handshake with the server.
  • ¬†When this is completed, the two half connections are joined.

Watch mode

  • Connection requests are allowed to pass through the router to the server but are watched until they become established.
  • If requests fail to establish within 30 seconds (default), the software sends a reset request to the server to clear up its state.

Continue reading

Configure IOS router to initiate a VPN in Aggressive Mode

Enabling Aggressive Mode globally on an IOS router is pretty straight forward and is the default any way;

no crypto isakmp aggressive-mode disable

But the problem with this is that the router will only act as a responder to VPN requests that come in. It cannot initiate a VPN in Aggressive Mode.

Adding the Aggressive Mode option in an ISAKMP profile and attaching that profile to the crypto map of that peer will allow the IOS router to also initiate a VPN in Aggressive Mode with the peer;

Continue reading

Zone-Based Firewall – Configuration (CCIE Notes)

Let’s have a look at a very basic configuration first;

1. Zone Security

zone security OUTSIDE
zone security INSIDE

2. Zone Member

interface fa0/0 zone-member security OUTSIDE
interface fa0/1 zone-member security INSIDE

Continue reading

Zone-Based Firewall – Concepts (CCIE Notes)


  • Zone-Based firewall may work in conjunction with CBAC but it is not recommended.
  • UDP based trace route is not supported through ICMP inspection.
  • Multicast stateful inspection is not supported.
  • Since ZBFW does not inspect GRE or ESP packets, use ‘pass’ to allow such packets as inspecting them would drop the traffic.

Continue reading

Routing Protocol Authentication – RIP, OSPF, EIGRP and BGP (CCIE Notes)


  • Define a key chain > key > key-string.
  • Reference the key-chain under the interface configuration.


key chain RIPkey
 key 0
 key-string cisco123
interface fa0/0
 ip rip authentication key-string
 ip rip authentication mode [md5 | text]

Continue reading