Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
614
Views
0
Helpful
1
Replies

IP TCP intercept cisco 6500

Go to solution
Salja
Level 1
Level 1

‎09-09-2014 07:16 AM - edited ‎03-04-2019 11:43 PM

Hi,

 

does anyone has experience with ip tcp intercept configuration on cisco 6500 for protecting network against TCP SYN flooding.

Which mode is recommended to configure (intercept or watch) and how can affect CPU on cisco 6500?

 

Any infos regarding that would be much appreciated.

 

Thank you

 

Salja

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rajeev Sharma
Cisco Employee
Cisco Employee

‎09-09-2014 02:36 PM

Hey Salja,

In Sup720 for TCP Intercept the support is as follows:

Watch mode: Initial TCP packets (SYN, SYN-ACK and ACK of SYN-ACK) and terminating TCP packets (FIN, RST) of a TCP flow is sent to RP for processing in SW. All other TCP packets of the flow are handled in HW using netflow (if TCP packets come in before the netflow entry is created it will get punted to SW). Note that the rate of netflow entry creation is limited and if new TCP connections come in at a rate faster than the rate at which netflow entries can be created in HW there will be large number of packets hitting the CPU.

Intercept Mode: For Intercept mode without timeout the behavior is similar to Watch mode mentioned above. Intercept mode with timeout all packets of a TCP flow is handled in SW by the RP.

So its not advised to use TCP intercept on 6500 as it may degrade box performance. I would suggest using firewall for this feature.

HTH.

Regards,
RS.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Rajeev Sharma
Cisco Employee
Cisco Employee

‎09-09-2014 02:36 PM

Hey Salja,

In Sup720 for TCP Intercept the support is as follows:

Watch mode: Initial TCP packets (SYN, SYN-ACK and ACK of SYN-ACK) and terminating TCP packets (FIN, RST) of a TCP flow is sent to RP for processing in SW. All other TCP packets of the flow are handled in HW using netflow (if TCP packets come in before the netflow entry is created it will get punted to SW). Note that the rate of netflow entry creation is limited and if new TCP connections come in at a rate faster than the rate at which netflow entries can be created in HW there will be large number of packets hitting the CPU.

Intercept Mode: For Intercept mode without timeout the behavior is similar to Watch mode mentioned above. Intercept mode with timeout all packets of a TCP flow is handled in SW by the RP.

So its not advised to use TCP intercept on 6500 as it may degrade box performance. I would suggest using firewall for this feature.

HTH.

Regards,
RS.

0 Helpful
Customers Also Viewed These Support Documents