[nsp] TCP Intercept

Sam Stickland sam_ml at spacething.org
Tue Aug 5 21:01:25 EDT 2003

I'm got some questions about the TCP intercept feature.

Firstly, while I understand what the technical differences between the watch
and intercept modes are, I'm not sure what the differences in efficiency
between the two are (both in the catching of attacks and the CPU load)

Secondly, I'm not sure what good it would do to place this on the core
routers of a large network. What's the typical connections per second rate
that would start to overwhelm a typical server? If the incoming connections
per second rate for the entire network is comparable then the necessary 'ip
tcp intercept max-incomplete high' setting isn't going to do much to protect
the servers, is it?


More information about the cisco-nsp mailing list