Configuración de la intercepción TCP en los routers Cisco IOS/IOS-XE
Opciones de descarga
-
ePub (85.0 KB)
Visualice en diferentes aplicaciones en iPhone, iPad, Android, Sony Reader o Windows Phone -
Mobi (Kindle) (75.1 KB)
Visualice en dispositivo Kindle o aplicación Kindle en múltiples dispositivos
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Acerca de esta traducción
Cisco ha traducido este documento combinando la traducción automática y los recursos humanos a fin de ofrecer a nuestros usuarios en todo el mundo contenido en su propio idioma. Tenga en cuenta que incluso la mejor traducción automática podría no ser tan precisa como la proporcionada por un traductor profesional. Cisco Systems, Inc. no asume ninguna responsabilidad por la precisión de estas traducciones y recomienda remitirse siempre al documento original escrito en inglés (insertar vínculo URL).
Contenido
Introducción
Este documento describe los requisitos para habilitar la función de intercepción del protocolo de control de transmisión (TCP) de Cisco en los routers Cisco IOS®/IOS-XE. La intercepción TCP es necesaria para proteger los servidores TCP de ataques de inundación TCP (SYN), un tipo de ataque de denegación de servicio.
Prerequisites
Requirements
No hay requisitos específicos para este documento.
Componentes Utilizados
Este documento no tiene restricciones específicas en cuanto a versiones de software y de hardware.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. Si tiene una red en vivo, asegúrese de entender el posible impacto de cualquier comando.
Problema
No puede configurar 'ip tcp intercept' en los routers ISR G1/G2/G3 y ASR1k. Puede ver los registros aquí:
Router#show ver Cisco IOS® Software, 2800 Software (C2800NM-IPBASEK9-M), Version 15.1(4)M12a, RELEASE SOFTWARE (fc1) Router uptime is 14 minutes System returned to ROM by reload at 07:45:56 UTC Tue Nov 1 2016 System image file is "flash:c2800nm-ipbasek9-mz.151-4.M12a(1).bin" Last reload type: Normal Reload <omitted> Cisco 2811 (revision 1.0) with 512000K/12288K bytes of memory. Processor board ID FHK1404F3U8 2 FastEthernet interfaces 1 Channelized E1/PRI port DRAM configuration is 64 bits wide with parity enabled. 239K bytes of non-volatile configuration memory. 250368K bytes of ATA CompactFlash (Read/Write) License Info: License UDI: ------------------------------------------------- Device# PID SN ------------------------------------------------- *0 CISCO2811 FHK1404F3U8 Configuration register is 0x2102 Router# config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#ip tcp ? RST-count Configure RST throttle count async-mobility Configure async-mobility chunk-size TCP chunk size ecn Enable Explicit Congestion Notification mss TCP initial maximum segment size path-mtu-discovery Enable path-MTU discovery on new TCP connections queuemax Maximum queue of outgoing TCP packets selective-ack Enable TCP selective-ACK synwait-time Set time to wait on new TCP connections timestamp Enable TCP timestamp option window-size TCP window size
Router#show ver
Cisco IOS® Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.4(3)M4, RELEASE SOFTWARE (fc1)
<omitted>
Router uptime is 1 minute
System returned to ROM by reload at 10:28:40 UTC Mon Oct 31 2016
System image file is "flash:c1900-universalk9-mz.SPA.154-3.M4.bin"
Last reload type: Normal Reload
Last reload reason: Reload Command
<omitted>
Cisco CISCO1941/K9 (revision 1.0) with 2543552K/77824K bytes of memory.
Processor board ID FHK141571QW
4 FastEthernet interfaces
<omitted>
Technology Package License Information for Module:'c1900'
------------------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security securityk9 RightToUse securityk9
data None None None
NtwkEss None None None
Configuration register is 0x2102
Router# config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip tcp ?
RST-count Configure RST throttle count
async-mobility Configure async-mobility
chunk-size TCP chunk size
ecn Enable Explicit Congestion Notification
keepalive Configure TCP Keepalive parameters
mss TCP initial maximum segment size
path-mtu-discovery Enable path-MTU discovery on new TCP connections
queuemax Maximum queue of outgoing TCP packets
selective-ack Enable TCP selective-ACK
synwait-time Set time to wait on new TCP connections
timestamp Enable TCP timestamp option
window-size TCP window size
Router#sh ver
Cisco IOS® XE Software, Version 03.15.02.S - Standard Support Release
Cisco IOS® Software, ISR Software (X86_64_LINUX_IOS® D-UNIVERSALK9-M), Version 15.5(2)S2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Fri 16-Oct-15 18:00 by mcpre
<omitted>
Router uptime is 7 minutes
Uptime for this control processor is 8 minutes
System returned to ROM by reload
System image file is "bootflash:isr4300-universalk9.03.15.02.S.155-2.S2-std.SPA.bin"
Last reload reason: Reload Command
<omitted>
Technology Package License Information:
-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
appx None None None
uc uck9 Permanent uck9
security securityk9 EvalRightToUse securityk9
ipbase ipbasek9 Permanent ipbasek9
cisco ISR4331/K9 (1RU) processor with 1665776K/6147K bytes of memory.
Processor board ID FDO2012A0AT
3 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
3223551K bytes of flash memory at bootflash:.
Configuration register is 0x2102
Router# config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip tcp ?
RST-count Configure RST throttle count
async-mobility Configure async-mobility
chunk-size TCP chunk size
ecn Enable Explicit Congestion Notification
keepalive Configure TCP Keepalive parameters
mss TCP initial maximum segment size
path-mtu-discovery Enable path-MTU discovery on new TCP connections
queuemax Maximum queue of outgoing TCP packets
selective-ack Enable TCP selective-ACK
synwait-time Set time to wait on new TCP connections
timestamp Enable TCP timestamp option
window-size TCP window size
Router#show version Cisco IOS® XE Software, Version 03.16.01a.S - Extended Support Release Cisco IOS® Software, ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSAL-M), Version 15.5(3)S1a, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2015 by Cisco Systems, Inc. Compiled Wed 04-Nov-15 13:57 by mcpre <omitted> Router uptime is 1 minute Uptime for this control processor is 2 minutes System returned to ROM by reload System image file is "bootflash:asr1001x-universal.03.16.01a.S.155-3.S1a-ext.SPA.bin" Last reload reason: PowerOn License Level: ipbase License Type: Permanent Next reload license Level: ipbase cisco ASR1001-X (1NG) processor (revision 1NG) with 3753592K/6147K bytes of memory. Processor board ID FXS1925Q33T 6 Gigabit Ethernet interfaces 2 Ten Gigabit Ethernet interfaces 32768K bytes of non-volatile configuration memory. 8388608K bytes of physical memory. 6684671K bytes of eUSB flash at bootflash: Configuration register is 0x2102 Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#ip tcp ? RST-count Configure RST throttle count async-mobility Configure async-mobility chunk-size TCP chunk size ecn Enable Explicit Congestion Notification keepalive Configure TCP Keepalive parameters mss TCP initial maximum segment size path-mtu-discovery Enable path-MTU discovery on new TCP connections queuemax Maximum queue of outgoing TCP packets selective-ack Enable TCP selective-ACK synwait-time Set time to wait on new TCP connections timestamp Enable TCP timestamp option window-size TCP window size
Solución
Para habilitar la función TCP Intercept, necesitará:
- Mínimo de conjunto de funciones entbase en los routers ISR G1
- Appxk9/Datak9 en los routers de las series ISRG2 y G3
- Licencia mínima de servicios de asesoramiento en el router de la serie ASR1k
Una vez que habilita la licencia requerida en la plataforma, puede configurar lo mismo:
Router(config)#ip tcp ? RST-count Configure RST throttle count async-mobility Configure async-mobility chunk-size TCP chunk size ecn Enable Explicit Congestion Notification intercept Enable TCP intercepting keepalive Configure TCP Keepalive parameters mss TCP initial maximum segment size path-mtu-discovery Enable path-MTU discovery on new TCP connections queuemax Maximum queue of outgoing TCP packets selective-ack Enable TCP selective-ACK synwait-time Set time to wait on new TCP connections timestamp Enable TCP timestamp option window-size TCP window size
Verificación
Actualmente, no hay un procedimiento de verificación disponible para esta configuración.
Troubleshoot
Actualmente, no hay información específica de troubleshooting disponible para esta configuración.
Información Relacionada
Con la colaboración de ingenieros de Cisco
- Meghana TandonCisco TAC Engineer
- Anupam ChakrabortyCisco TAC Engineer
ComentariosContacte a Cisco
- Abrir un caso de soporte
- (Requiere un Cisco Service Contract)