- Read Me First
- Zone-Based Policy Firewalls
- Zone-Based Policy Firewall IPv6 Support
- VRF-Aware Cisco IOS XE Firewall
- Layer 2 Transparent Firewalls
- Nested Class Map Support for Zone-Based Policy Firewall
- Zone Mismatch Handling
- Configuring Firewall Stateful Interchassis Redundancy
- Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
- Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT
- Interchassis High Availability Support in IPv6 Zone-Based Firewalls
- Firewall Box to Box High Availability Support for Cisco CSR1000v Routers
- Firewall Stateful Inspection of ICMP
- Firewall Support of Skinny Client Control Protocol
- Configuring the VRF-Aware Software Infrastructure
- IPv6 Zone-Based Firewall Support over VASI Interfaces
- Protection Against Distributed Denial of Service Attacks
- Configuring Firewall Resource Management
- IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
- Configurable Number of Simultaneous Packets per Flow
- LISP and Zone-Based Firewalls Integration and Interoperability
- Firewall High-Speed Logging
- TCP Reset Segment Control
- Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall
- Enabling ALGs and AICs in Zone-Based Policy Firewalls
- Configuring Firewall TCP SYN Cookie
- Object Groups for ACLs
- Cisco Firewall-SIP Enhancements ALG
- MSRPC ALG Support for Firewall and NAT
- Sun RPC ALG Support for Firewalls and NAT
- vTCP for ALG Support
- ALG—H.323 vTCP with High Availability Support for Firewall and NAT
- FTP66 ALG Support for IPv6 Firewalls
- SIP ALG Hardening for NAT and Firewall
- SIP ALG Resilience to DoS Attacks
- Zone-Based Firewall ALG and AIC Conditional Debugging and Packet Tracing Support
- Finding Feature Information
- Information About Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall
- How to Configure Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall
- Configuration Examples for TCP Window-Scaling
- Feature Information for Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall
Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall
The Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall feature disables the strict checking of the TCP window-scaling option in a firewall.
- Finding Feature Information
- Information About Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall
- How to Configure Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall
- Configuration Examples for TCP Window-Scaling
- Feature Information for Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall
Loose Checking Option for TCP Window Scaling Overview
TCP provides various TCP extensions to improve performance over high-bandwidth and high-speed data paths. One such extension is the TCP window-scaling option. The loose-checking option for TCP window-scaling turns off strict checking of the window-scaling option described in RFC 1323.
A larger window size is recommended to improve TCP performance in network paths with large bandwidth-delay product characteristics that are called Long Fat Networks (LFNs). TCP window scaling expands the definition of the TCP window to 32 bits and then uses a scale factor to carry this 32-bit value in the 16-bit window field of the TCP header. The window size can increase to a scale factor of 14. Typical applications use a scale factor of 3 when deployed in LFNs.
A firewall implementation enforces strict checking of the TCP window-scaling option. A firewall drops SYN/ACK packets that have the TCP window-scaling option if it was not offered in the initial synchronization (SYN) packet for the TCP three-way handshake. The window-scale option is sent only in a SYN segment, which is a segment with the SYN bit on. Therefore, the window scale is fixed in each direction when a connection is opened.
Use the tcp window-scale-enforcement loose command to disable the strict checking of the TCP window-scaling option in TCP SYN segments.
How to Configure Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall
- Configuring the TCP Window-Scaling Option for a Firewall
- Configuring a Zone and Zone Pair for a TCP Window Scaling
Configuring the TCP Window-Scaling Option for a Firewall
1.
enable
2.
configure terminal
3.
parameter-map type inspect {parameter-map-name | global | default}
4.
tcp window-scale-enforcement loose
5.
exit
6.
class-map type inspect {match-any | match-all} class-map-name
7.
match protocol [parameter-map] [signature]
8.
exit
9.
policy-map type inspect policy-map-name
10.
class type inspect
class-map-name
11.
inspect [parameter-map-name]
12.
exit
13.
class
name
14.
end
DETAILED STEPS
Configuring a Zone and Zone Pair for a TCP Window Scaling
1.
enable
2.
configure terminal
3.
interface
type number
4.
ip address ip-address
5.
zone-member security
security-zone-name
6.
exit
7.
interface
type number
8.
ip address ip-address
9.
zone-member security
security-zone-name
10.
end
DETAILED STEPS
Configuration Examples for TCP Window-Scaling
Example: Configuring the TCP Window-Scaling Option for a Firewall
Device> enable Device# configure terminal Device(config)# parameter-map type inspect pmap-fw Device(config-profile)# tcp window-scale-enforcement loose Device(config-profile)# exit Device(config)# class-map type inspect match-any internet-traffic-class Device(config-cmap)# match protocol tcp Device(config-cmap)# exit Device(config)# policy-map type inspect private-internet-policy Device(config-pmap)# class type inspect internet-traffic-class Device(config-pmap-c)# inspect pmap-fw Device(config-pmap-c)#exit Device(config-pmap)# class class-default Device(config-pmap)#end
Example: Configuring a Zone and Zone Pair for TCP Window Scaling
Device# enable Device# configure terminal Device(config)# interface GigabitEthernet 0/1/5 Device(config-if)# ip address 10.1.1.1 255.255.255.0 Device(config-if)# zone-member security private Device(config-if)# exit Device(config)# interface GigabitEthernet 0/1/6 Device(config-if)# ip address 209.165.200.225 255.255.255.0 Device(config-if)# zone-member security internet Device(config-if)# end
Feature Information for Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.Feature Name |
Releases |
Feature Information |
|---|---|---|
|
Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall |
Cisco IOS XE Release 3.10S |
Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall feature disables the strict checking of the TCP Window Scaling option in an IOS-XE firewall. The following command was introduced or modified: tcp window-scale-enforcement loose. In Cisco IOS XE Release 3.10S, support was added for the Cisco CSR 1000V Series Routers. |
Feedback