Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IP TCP intercept cisco 6500

Hi,

 

does anyone has experience with ip tcp intercept configuration on cisco 6500 for protecting network against TCP SYN flooding.

Which mode is recommended to configure (intercept or watch) and how can affect CPU on cisco 6500?

 

Any infos regarding that would be much appreciated.

 

Thank you

 

Salja

1 ACCEPTED SOLUTION

Accepted Solutions

Hey Salja,In Sup720 for TCP

Hey Salja,

In Sup720 for TCP Intercept the support is as follows:

Watch mode: Initial TCP packets (SYN, SYN-ACK and ACK of SYN-ACK) and terminating TCP packets (FIN, RST) of a TCP flow is sent to RP for processing in SW. All other TCP packets of the flow are handled in HW using netflow (if TCP packets come in before the netflow entry is created it will get punted to SW). Note that the rate of netflow entry creation is limited and if new TCP connections come in at a rate faster than the rate at which netflow entries can be created in HW there will be large number of packets hitting the CPU.

Intercept Mode: For Intercept mode without timeout the behavior is similar to Watch mode mentioned above. Intercept mode with timeout all packets of a TCP flow is handled in SW by the RP.

So its not advised to use TCP intercept on 6500 as it may degrade box performance. I would suggest using firewall for this feature.

HTH.

Regards,
RS.

1 REPLY

Hey Salja,In Sup720 for TCP

Hey Salja,

In Sup720 for TCP Intercept the support is as follows:

Watch mode: Initial TCP packets (SYN, SYN-ACK and ACK of SYN-ACK) and terminating TCP packets (FIN, RST) of a TCP flow is sent to RP for processing in SW. All other TCP packets of the flow are handled in HW using netflow (if TCP packets come in before the netflow entry is created it will get punted to SW). Note that the rate of netflow entry creation is limited and if new TCP connections come in at a rate faster than the rate at which netflow entries can be created in HW there will be large number of packets hitting the CPU.

Intercept Mode: For Intercept mode without timeout the behavior is similar to Watch mode mentioned above. Intercept mode with timeout all packets of a TCP flow is handled in SW by the RP.

So its not advised to use TCP intercept on 6500 as it may degrade box performance. I would suggest using firewall for this feature.

HTH.

Regards,
RS.

82
Views
0
Helpful
1
Replies
CreatePlease login to create content