cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
28240
Views
45
Helpful
4
Replies

Service TCP-Keepalives-IN/OUT

Zali
Level 1
Level 1

Hi,

I need to know if Service TCP-Keepalives-IN and OUT has any production impact. I am planning to apply this feature for incoming and outgoing TCP connections on my edge routers in a production environment.

As these are the key routers and I am very much concern about the impact of executing these commands.

 

Thanks,

Zali

4 Replies 4

Michael Hubbard
Level 1
Level 1

Hello Zali,
There will not be any impact on production. These two commands are best practices and only come into play if you have a communications problem between your SSH/telnet client and the router. This Cisco document has a good example:
https://www.cisco.com/c/en/us/support/docs/dial-access/asynchronous-connections/14957-tcpkeepalive.html

I hope this makes you feel comfortable deploying the commands!

Here are a couple others I use:
no service pad
no service finger
no ip source-route
no ip gratuitous-arps
no service dhcp (only on devices that don't offer DHCP relay or addresses)
no ip finger
no tcp-small-servers (IOS 11.2 and older)
no udp-small-servers (IOS 11.2 and older)

!logging timestamps helps you correlate events across network devices
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service sequence-numbers
service counters max age 5
service password-encryption
service linenumber
service counters max age 5

Here is a good Cisco tutorial on security. Ironically, it requires Flash to view!
https://www.cisco.com/c/dam/en_us/training-events/le31/le46/cln/qlm/Learning_Center/Security/Hardening_Cisco_IOS_Devices/player.html

Here is a Cisco webpage on hardening devices
https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

jayage
Level 1
Level 1

Is it recommended to set this on layer 3 switches with ssh enabled also?

I believe that it is recommended on any layer 3 network device, especially ones with SSH or telnet in use.

HTH

Rick

Michael Hubbard
Level 1
Level 1

Hello jayage,

I thought I replied back on 9/11 but I don't see it online.

Yes, this setting is a Cisco best practice. It will not interrupt production.

I recently did a blog post on disabling weak crypto ciphers on Cisco switches. I recommend doing that also, especially you will have a PCI_DSS or other security audit on the switch.

https://mwhubbard.blogspot.com/2020/06/disable-weak-sshssl-ciphers-in-cisco-ios.html 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: