IP TCP intercept cisco 6500

Hi,
does anyone has experience with ip tcp intercept configuration on cisco 6500 for protecting network against TCP SYN flooding.
Which mode is recommended to configure (intercept or watch) and how can affect CPU on cisco 6500?
Any infos regarding that would be much appreciated.
Thank you
Salja

Hey Salja,
In Sup720 for TCP Intercept the support is as follows:
Watch mode: Initial TCP packets (SYN, SYN-ACK and ACK of SYN-ACK) and terminating TCP packets (FIN, RST) of a TCP flow is sent to RP for processing in SW. All other TCP packets of the flow are handled in HW using netflow (if TCP packets come in before the netflow entry is created it will get punted to SW). Note that the rate of netflow entry creation is limited and if new TCP connections come in at a rate faster than the rate at which netflow entries can be created in HW there will be large number of packets hitting the CPU.
Intercept Mode: For Intercept mode without timeout the behavior is similar to Watch mode mentioned above. Intercept mode with timeout all packets of a TCP flow is handled in SW by the RP.
So its not advised to use TCP intercept on 6500 as it may degrade box performance. I would suggest using firewall for this feature.
HTH.
Regards,
RS.

Similar Messages

How to count/determine downtime of Cisco 6500 switch?

Hello,
I work with cisco 6500 switches. now we need to evaluate the down time of all switces. now we using cacti to query system information to switches using SNMP, but some times cacti didnt get the data because of high cpu in switch so the switch stop di SNMP service. because of that, the data in Cacti not valid to determine our switch Downtime.
Is there any tools or ather way to monitor Cisco switch downtime??
Thanks a lot.

just like a reminding system. it can be send an email or some message.
EEM can be configured to send someone an email when some kind of "event" is triggered, such as an uplink goes DOWN/UP.
However, the chassis can't send an email if it's down but can be configured to send out an email when the supervisor card boots up.

TCP intercept..question

HI ALL.
TCP intercept is feature which used to prevent from Syn flood attack on router. is the router will not under attack.if too many proxy connection will be handel by router
PLEASE REPLY

Hi mate,
Please, clarify your question.
A little bit of TCP iontercept as follows: *this is some notes from my studies)
TCP intercept
   % Prevents TCP SYN flood attacks (TCP 3 way handshake not completed)
      .SYN, ACK SYN, ACK
   % Results in half open or embryonic session
- TCP intercept tries to prevent this in TWO ways
   %Intercept mode (proxy for all connections / only connect to server after 3 way hand completes)
   %WATCH mode (passively monitor session establishment / Send TCP RST if 3 way handshake does not complete in time)   >> The best choice <<
Waiting to hear from you.
PLease, rate useful posts !
cheers

Cisco 6500 with sup720 booting to rommon

Please how can I solve this problem. This cisco 6500 boots to rommon mode, I can't see any error showing why its booting to rommon.

Here is the boot process:
System Bootstrap, Version 8.5(4)
Copyright (c) 1994-2009 by cisco Systems, Inc.
Testing lower main memory - data equals address
Testing lower main memory - checkerboard
Testing lower main memory - inverse checkerboard
Clearing lower memory for cache initialization
Clearing bss
Clearing autoboot state machine
melody_present_reg: 1st read w/ 0x5555
melody_present_reg: 2nd read w/ 0xaaaa, reversed: 0x5555
Bootdisk adapter is detected, enabling bootdisk access...
Reprogramming CS1 w/ Melody value...
Reading monitor variables from NVRAM
Reset reason for CPU board 0xffff , BaseBoard 0x281ffff, display 0x20000System Reset by Software.
Enabling interrupts
Initializing TLB
Initializing cache
Initializing required TLB entries
MOBILE dimm - rev 0.15
Initializing main memory
Sizing NVRAM
Initializing PCMCIA controller
Initializing USB2.0 controller
Exiting init
Cat6k-Sup720/SP processor with 1048576 Kbytes of main memory
Autoboot: failed, BOOT string is empty
Autoboot executing command: "boot "
Initializing ATA monitor library...
string is bootdisk:s72033-ipbasek9-mz.122-33.SXJ2.bin
Loading image, please wait ...
Initializing ATA monitor library...
Stack pointer       : 0x8FFFFF80
monstack            : 0x800FFFC0
monra               : 0xBFC26EC4
edata : 0x80108580
magic : 0xFEEDFACE
memsize             : 0x10000000
uncomp_size         : 0x05090C00
comp_size           : 0x05090C00
comp_checksum       : 0x98ECBE18
uncomp_checksum     : 0x98ECBE18
CZIP_MEM_BASE       : 0x80000000
_end       : 0x8010BA00
Self extracting the image...
IOS compressed src copy is     : 0x80108594
czip + IOS tar size is :0x00E01FA8
czip + IOS Tar image is now :0x80108794
cptr is now :0x8010BB00
IOS compressed dest copy is     : 0x8010BB00
[OK]
image_entry :0x80100000
image_entry :0x80100000
__start : 0x80100000
tar_avail_size is now :0x0428EA00
Tar image address is             : 0x80F0DB00
tar_size is           : 0x0428E600
cpu type                   : 0x00000019
uncomp_size                : 0x05090C00
monstack                   : 0x800FFFC0
image_info.entry_point   = 0x80100000
image_info.section_count = 0x00000005
image_info.monstack      = 0x800FFFC0
image_info.monra         = 0xBFC26EC4
image_info.param0        = 0x00000002
image_info.param1        = 0x00000000
image_info.param2        = 0x800066A8
image_info.param3        = 0x80100000
image_info.reg_k0        = 0x80F0DB00
image_info.reg_k1        = 0x0428E600
Section Index = 0x00000000
    source    = 0x8010BC1C
    dest      = 0x80100000
    bytes     = 0x00010000
Section Index = 0x00000001
    source    = 0x8011BC1C
    dest      = 0x80110000
    bytes     = 0x00000720
Section Index = 0x00000002
    source    = 0x8011C33C
    dest      = 0x80110720
    bytes     = 0x00000020
Section Index = 0x00000003
    source    = 0x8011C35C
    dest      = 0x80110740
    bytes     = 0x00DF1730
Section Index = 0x00000004
    source    = 0x80F0DA8C
    dest      = 0x80F01E70
    bytes     = 0x00000000
reg_v0: 0x00000000
reg_k0: 0x80F0DB00
reg_k1: 0x0428E600
tar_start: 0x00000000
tar_size: 0x00000000
Tar image address is             : 0x80F0DB00
tar size is :0x00B6130E
Tar magic : ustar Tar filename : C2LC memsize             : 0x10000000
Tar gid         : 035231Tar uncomp_size         : 0x00B6130E
Tar mtime         : 11672344432 Tar username          : ccaiTar comp_checksum       : 0x0000125F
Tar group name    : buildTar prefix    : tar_size in czip         : 0x0428E600
Stack pointer       : 0x8FFFFF80
monstack            : 0x800FFFC0
monra               : 0xBFC26EC4
edata : 0x80110740
magic : 0xFEEDFACE
memsize             : 0x10000000
uncomp_size         : 0x02B3E7F0
comp_size           : 0x00DF171C
comp_checksum       : 0xE917F280
uncomp_checksum     : 0xD094D890
Compressed IOS src copy is     : 0x80110754
tar_dest is :0x8BD69200
tar_size is :0x0428E600
Compressed IOS dest copy is     : 0x8AF77AE4
Tar src before IOS decompression is     : 0x80F0DB00
Tar dest before IOS decompression is     : 0x8BD69200
compressed IOS src is     : 0x8AF77AE4
IOS uncompressed dest copy is     : 0x8013C160
Self decompressing the image : ############################################################################################################################################################################################################################## [OK]
e_shoff :
0x02B3E660
e_flags : 0x10001001
e_phnum :
0x00000001
Source elf_hdr->e_shnum = 0x0000000A
Setting up to copy ELF section 0x00000001
to image_info section 0x00000000
sh_name = 0x0000000B
sh_type = 0x00000001
sh_flags = 0x00000007
sh_addr = 0x80100000
sh_offset = 0x00000060
sh_size = 0x02640000
sh_link = 0x00000000
sh_info = 0x00000000
sh_addralign = 0x00000020
sh_entsize = 0x00000000
Setting up to copy ELF section 0x00000002
to image_info section 0x00000001
sh_name = 0x00000011
sh_type = 0x00000001
sh_flags = 0x00000003
sh_addr = 0x82740000
sh_offset = 0x02640060
sh_size = 0x00373440
sh_link = 0x00000000
sh_info = 0x00000000
sh_addralign = 0x00000008
sh_entsize = 0x00000000
Setting up to copy ELF section 0x00000003
to image_info section 0x00000002
sh_name = 0x00000017
sh_type = 0x00000001
sh_flags = 0x00000003
sh_addr = 0x82AB3440
sh_offset = 0x029B34A0
sh_size = 0x0003EEE4
sh_link = 0x00000000
sh_info = 0x00000000
sh_addralign = 0x00000004
sh_entsize = 0x00000000
Setting up to copy ELF section 0x00000004
to image_info section 0x00000003
sh_name = 0x00000024
sh_type = 0x00000001
sh_flags = 0x10000003
sh_addr = 0x82AF2324
sh_offset = 0x029F2384
sh_size = 0x0000423C
sh_link = 0x00000000
sh_info = 0x00000000
sh_addralign = 0x00000010
sh_entsize = 0x00000000
sh_type = 0x00000008
sh_flags = 0x10000003
sh_addr = 0x82AF6560
sh_offset = 0x029F65C0
sh_size = 0x00000940
sh_type = 0x00000008
sh_flags = 0x00000003
sh_addr = 0x82AF6EA0
sh_offset = 0x029F65C0
sh_size = 0x021FE100
tar file start = 0x84D02F50
cpu type                   : 0x00000019
uncomp_size                : 0x02B3E7F0
monstack                   : 0x800FFFC0
image_info.entry_point   = 0x80100000
image_info.section_count = 0x00000005
image_info.monstack      = 0x800FFFC0
image_info.monra         = 0xBFC26EC4
image_info.param0        = 0x00000002
image_info.param1        = 0x00000000
image_info.param2        = 0x800066A8
image_info.param3        = 0x80100000
image_info.reg_k0        = 0x84D02F50
image_info.reg_k1        = 0x0428E600
Section Index = 0x00000000
    source    = 0x8013C1C0
    dest      = 0x80100000
    bytes     = 0x02640000
Section Index = 0x00000001
    source    = 0x8277C1C0
    dest      = 0x8274CFB0
    bytes     = 0x00373440
Section Index = 0x00000002
    source    = 0x82AEF600
    dest      = 0x82AC03F0
    bytes     = 0x0003EEE4
Section Index = 0x00000003
    source    = 0x82B2E4E4
    dest      = 0x82AFF2D4
    bytes     = 0x0000423C
Section Index = 0x00000004
    source    = 0x8BD69200
    dest      = 0x84D02F50
    bytes     = 0x0428E600
data_size in czip         : 0x00001000
bss end of IOS is         : 0x84D01F50
              Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
           cisco Systems, Inc.
           170 West Tasman Drive
           San Jose, California 95134-1706
Cisco IOS Software, s72033_sp Software (s72033_sp-IPBASEK9-M), Version 12.2(33)SXJ2, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Thu 15-Dec-11 01:29 by prod_rel_team
Image text-base: 0x4010132C, data-base: 0x4274CFB0
Active crashed three times, disabling auto-boot and dropping to rommon
Firmware compiled 15-Nov-11 14:23 by integ Build [100]
*Jan 1 02:27:12.643: %PFREDUN-6-ACTIVE: Initializing as ACTIVE processor for this switch
*Jan 1 02:27:13.459: %PFREDUN-4-SUP_FORCE_TO_ROMMON: Supervisor forced to rommon with reason: Active crashed three times in a row
System Bootstrap, Version 8.5(4)
Copyright (c) 1994-2009 by cisco Systems, Inc.
Cat6k-Sup720/SP processor with 1048576 Kbytes of main memory
rommon 1 >

Cisco 6500 --ACL entries showing incorrect order.

Hi guys,
I need your suggestion on my following issue:
I have configure the ACL entries on my cisco 6500 series box but I see the ACL entries showing incorrect order when I check for the same.
Eg:
Europebox#show access-list 50
10 permit 192.50.20.2 (10 matches)
15 permit 192.52.0.134 (98 matches)
75 permit 198.29.232.23 (38 matches)
80 permit 10.96.127.14
90 permit 192.22.2.10
40 permit 192.22.0.76
anyhelp would be appriciated
regards
neha

Hi neha,
This is the expected behaviour that you see for the standard access-lists.
Regards
Inayath

Cisco 6500 shows less traffic for NetFlow export

I am using a Thrid party NetFlow tool, Enabled NetFlow on the Cisco 6500 as per recommendations and getting only half amout of traffic passing thorugh the interfaces. I have verified with 3 different NetFlow based tools, everything showing the same value. Is there any bug in my Cisco 6500. Any one faced this issue. Attached the output of (show run, show version)
Cheers

Hi Jake,
I have already investigated this, the exporting interval and aging time for flows are set to lower active timeout. Is there any way to see all the flows are beeing captured and exported both on MSFC and PFC.
Cheers

Cisco 6500 Sup2 IOS with SLB support

Hello
A have two questions about SLB funcionality on Cisco 6500 SUP2/MSFC2
1) Is IP LAN ONLY ios support SLB ? If yes, does it have any restrictions ?
2) How heavy IOS SLB for processor ? (i mean in dispatched mode).

Are sup-bootflash: and sup-bootdisk: the same thing ?
No, they are not. sup-bootflash: is located inside but the sup-bootdisk: is located OUTSIDE and is physically accessible. If you look at the line card, you'll see a CF slot marked "Disk0:" or "Slot0". This is the sup-bootdisk:. It is also known as "disk0:". Confusing, I know.
Can I make use of the disk0 of both chassis to perform ios upgrade ?
Of course you can. I perform VSS upgrade just using one of the disk0: and push the IOS from the disk0: to the two supervisor cards.
By setting the boot path to disk0
You can too. The sup-bootflash: and the sup-bootdisk:/disk0: are the same physical format.
A word of caution: I cannot stop reiterating the importance of checking the MD5 hash value of the IOS file in the sup-bootdisk: or sup-bootflash: BEFORE rebooting the chassis for an IOS upgrade. Make sure the MD5 hash value match exactly to the MD5 hash value found in the Cisco website. Once they are match, check the boot variable string, the config-registry and you're off to the next step.

PPPoE Cisco 6500 + 7600-SIP-400

Hello,
we use a lot of Cisco 6500 switches across our network. I bought one 7600-SIP-400 with one SPA-5X1GE-V2 module.
Unfortunatelly I have found that there is no command support for PPPoE in my IOS version 12.2 SXI13.
Can somebody tell me which IOS version do I have to use to get command support for PPPoE Server?
Thank you.
Milan

"Doesn't have to be a Cisco box. "
If you're still interested in solving this (or haven't already), you can mail me at [email protected]
Cheers,
Anton

Cisco 6500 power supply and module (hot-swappable?)

Hi everyone!
We have currently a Cisco 6500 with 2 power supply of 3000w. We want to replace these PS for 2 new ones, which have higher wattage: 6000w.
Can we replace them without needing to turn the 6500 off?. I mean, What happens if we insert a 6000w PS and the switch is working with one 3000w PS?
Is it possible to do this replacement "on hot"?
And second, we also have a ws-x6708-10g-3c module. Can we insert this module "on hot"? Without needing to turn the Catalyst 6500 off?
Thanks a lot! and looking forward to an answer.

Depends on your setup the table should be able to help:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/pwr_envr.html#wp1020384
Configuration Change
Effect
Redundant to nonredundant
•System log and syslog messages are generated.
•System power is increased to the combined power capability of both power supplies.
•Modules marked power-deny in the show power oper state field are brought up if there is sufficient power.
Nonredundant to redundant (both power supplies must be of equal wattage)
•System log and syslog messages are generated.
•System power is decreased to the power capability of one supply.
•If there is not enough power for all previously powered-up modules, some modules are powered down and marked as power-deny in theshow power oper state field.
Equal wattage power supply is inserted with redundancy enabled
•System log and syslog messages are generated.
•System power equals the power capability of one supply.
•No change in module status because the power capability is unchanged.
Equal wattage power supply is inserted with redundancy disabled
•System log and syslog messages are generated.
•System power is increased to the combined power capability of both power supplies.
•Modules marked power-deny in the show power oper state field are brought up if there is sufficient power.
Higher or lower wattage power supply is inserted with redundancy enabled
•System log and syslog messages are generated.
•The system does not allow you to operate a power supply of different wattage even if the wattage is higher than the installed supply. The inserted supply shuts down.
Higher or lower wattage power supply is inserted with redundancy disabled
•System log and syslog messages are generated.
•System power is increased to the combined power capability of both power supplies.
•Modules marked power-deny in the show power oper state field are brought up if there is sufficient power.
Power supply is removed with redundancy enabled
•System log and syslog messages are generated.
•No change in module status because the power capability is unchanged.
Power supply is removed with redundancy disabled
•System log and syslog messages are generated.
•System power is decreased to the power capability of one supply.
•If there is not enough power for all previously powered-up modules, some modules are powered down and marked as power-deny in theshow power oper state field.
System is booted with power supplies of different wattage installed and redundancy enabled
•System log and syslog messages are generated.
•The system does not allow you to have power supplies of different wattage installed in a redundant configuration. The lower wattage supply shuts down.
System is booted with power supplies of equal or different wattage installed and redundancy disabled
•System log and syslog messages are generated.
•System power equals the combined power capability of both power supplies.
•The system powers up as many modules as the combined capacity allows.

Is DOM supported using SNMP on Cisco 6500;s?

Is DOM supported using SNMP on Cisco 6500's? I've configured DOM on 6509 using transceiver type all -> monitoring. Is DOM enable for SNMP mibs? Here's the MIB I got from a vendor. .1.3.6.1.4.1.3607. And I'm unable to walk it on any of my Cisco devices including Nexus 5672 and 4900.

That oid looks like the sysoid for the ONS series of products. I don't think that will work in this case. Unfortunately, I can't offer any other advice, I've not looked into snmp support for DOM.
chris

TCP intercept

Just received a bunch of 2951s UC+Sec running 15.3M. Doing initial configuration,
The command 'ip tcp intercept' is not available. Do I need to switch to the T train or
Is the command structure different?

I have two 2911s. One with a security license and the other has a data license. Neither has the other (data one does not have security license, and security license one does not have data).
Believe it or not, the security license does not have that option, but the data license one does, so I believe you're going to need to get a data license to support this.
HTH,
John

CISCO 6500 VS HUAWEI S9700

I NEED COMPARISON BETWEEN CISCO VS-C6509E-SUP2T vs S9700 , becuse i have a very compettive offer from huawei , really i need to onvince my customer that cisco 6500 is better than huawei 9700 in performance

where is the link that shows theat information
Something that "big" and launching in the next few months will not bet published. You'll need to talk to a Cisco R&S SE to get more information.

TCP RESET - CISCO IPS 4240 in IDS Mode - Block Teamviewer

I would like to block teamviewer in my network. we are using CISCO IPS 4240 in IDS Mode. I found that there are signatures for teamviewer in latest Signatures.
We have only configured promiscuous interface, I read that we can issue TCP resets thru promiscuous interface as well (recommended is dedicated tcp reset interface).
However in my case, I found that Signatures for teamviewer is not getting fired even after getting successful teamviewer connections.
I am a beginner is IPS, Any inputs will be valuable for me.

We're talking about sigs 15002-0, -1, -2 here. They are by default shipped disabled and retired, so you'll want to enable and activate them.
For these, the signature settings are not hidden and what they look for is pretty clearly documented in the sig description.
-0 looks for some specific DNS requests on TeamViewer's startup. TCP resets will have no effect on this.
-1 looks for specific traffic to tcp port 5938 which would indicate Teamviewer's direct-connection method
-2 looks for traffic indicating use over http when teamviewer is configured to use a proxy
TCP resets are a best effort response, they aren't going to be a 100% effective stop

Cisco 6500 with SUP 720 - Invalid boot Image

Diagnostic sanity check on the 6500 reports Invalid boot image "bootdisk:<output omitted>
The boot statement on the 6500 is :-
boot system bootdisk:<filename.bin> and the 6500 boots fine.
Please advise.
Thank You.

Hi ,
I have found bug which is internally found by cisco.The bug is CSCsc98471 and following are details of bug .
The command "show diagnostic sanity" checks amongst other things, if the current bootstring is matching pointing to an existing file.
Since ION bootstring format has been extended (assuming an installed image) this check fails although the bootstring is correct.
Can be easily reproduced by entering the "show diagnostic sanity" command.
6500-6#show diagnostic sanity
Pinging default gateway 172.26.197.33
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.26.197.33, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Could not verify boot image "sup-bootdisk:/newsys/s72033/base/s72033-adventerprisek9_wan_dbg-vm," specified in the boot string.
6500-6#show bootvar
BOOT variable = sup-bootdisk:/newsys/s72033/base/s72033-adventerprisek9_wan_dbg-vm,12;
6500-6#dir sup-bootflash:/newsys/s72033/base/
Directory of sup-bootdisk:/newsys/s72033/base/
84 -rwx 1375696 Jan 5 2006 20:51:24 -08:00 imf.tar
85 -rwx 12873200 Jan 5 2006 20:51:22 -08:00 s72033-adventerprisek9_wan_dbg-vm
It is found in 12.2(18.09.20)SX3.39.
*** open a TAC case so that the same bug is fixed in 12.2(18)SXF4.
Hope it helps you.Plz rate it.
Thanks,
satish

Cisco 6500 ASA Module

Greetings,
I have 6509-E switch with Cisco ASA module, I have two network segments 1. 10.60.5.0/24 2. 10.60.6.0/24, the ASA module is gateway for my two subnets, routing protocol is cisco EIGRP, everything looks normal, but when I am trying to copy files from one computer which has the IP 10.60.6.21 to another computer which has the IP 10.60.5.100 in another network subnet, they latency goes high and copying is very slow.
Please help me.

Hi,
I think the easiest test would be to check for any inspections for the traffic that you are using for the test on the ASA device.
Also , you can try this:-
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/111986-asa-tcp-bypass-00.html
Thanks and Regards,
Vibhor Amrodia

IP TCP intercept cisco 6500

Similar Messages

Maybe you are looking for