Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S
Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall
Downloads: This chapterpdf (PDF - 1.3MB) The complete bookPDF (PDF - 6.41MB) | The complete bookePub (ePub - 1.22MB) | Feedback

Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall

Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall

The Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall feature disables the strict checking of the TCP window-scaling option in a firewall.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Information About Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall

Loose Checking Option for TCP Window Scaling Overview

TCP provides various TCP extensions to improve performance over high-bandwidth and high-speed data paths. One such extension is the TCP window-scaling option. The loose-checking option for TCP window-scaling turns off strict checking of the window-scaling option described in RFC 1323.

A larger window size is recommended to improve TCP performance in network paths with large bandwidth-delay product characteristics that are called Long Fat Networks (LFNs). TCP window scaling expands the definition of the TCP window to 32 bits and then uses a scale factor to carry this 32-bit value in the 16-bit window field of the TCP header. The window size can increase to a scale factor of 14. Typical applications use a scale factor of 3 when deployed in LFNs.

A firewall implementation enforces strict checking of the TCP window-scaling option. A firewall drops SYN/ACK packets that have the TCP window-scaling option if it was not offered in the initial synchronization (SYN) packet for the TCP three-way handshake. The window-scale option is sent only in a SYN segment, which is a segment with the SYN bit on. Therefore, the window scale is fixed in each direction when a connection is opened.

Use the tcp window-scale-enforcement loose command to disable the strict checking of the TCP window-scaling option in TCP SYN segments.

How to Configure Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall

Configuring the TCP Window-Scaling Option for a Firewall

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    parameter-map type inspect {parameter-map-name | global | default}

    4.    tcp window-scale-enforcement loose

    5.    exit

    6.    class-map type inspect {match-any | match-all} class-map-name

    7.    match protocol [parameter-map] [signature]

    8.    exit

    9.    policy-map type inspect policy-map-name

    10.    class type inspect class-map-name

    11.    inspect [parameter-map-name]

    12.    exit

    13.    class name

    14.    end


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Device> enable 
     
    Enables privileged EXEC mode.
    • Enter your password if prompted.
     
    Step 2 configure terminal


    Example:
    Device# configure terminal 
     

    Enters global configuration mode.

     
    Step 3 parameter-map type inspect {parameter-map-name | global | default}


    Example:
    Device(config)# parameter-map type inspect pmap-fw
     

    Configures an inspect parameter map and enters profile configuration mode.

     
    Step 4 tcp window-scale-enforcement loose


    Example:
    Device(config-profile)# tcp window-scale-enforcement loose
     

    Disables the strict checking of the TCP window-scaling option in a firewall.

     
    Step 5 exit


    Example:
    Device(config-profile)# exit 
     

    Exits profile configuration mode and returns to global configuration mode.

     
    Step 6 class-map type inspect {match-any | match-all} class-map-name


    Example:
    Device(config)# class-map type inspect match-any internet-traffic-class 
     

    Creates an inspect-type class map and enters QoS class-map configuration mode.

     
    Step 7 match protocol [parameter-map] [signature]


    Example:
    Device(config-cmap)# match protocol tcp
     

    Configures a match criteria for a class map on the basis of the specified protocol.

     
    Step 8 exit


    Example:
    Device(config-cmap)# exit
     

    Exits the QoS class-map configuration mode and returns to global configuration mode.

     
    Step 9 policy-map type inspect policy-map-name


    Example:
    Device(config)# policy-map type inspect private-internet-policy 
     

    Creates an inspect-type policy map and enters QoS policy-map configuration mode.

     
    Step 10 class type inspect class-map-name


    Example:
    Device(config-pmap)# class type inspect internet-traffic-class
     

    Specifies the traffic class on which an action is to be performed and enters policy-map class configuration mode.

     
    Step 11 inspect [parameter-map-name]


    Example:
    Device(config-pmap-c)# inspect pmap-fw
     

    Enables stateful packet inspection.

     
    Step 12 exit


    Example:
    Device(config-pmap-c)# exit
     

    Exits QoS policy-map class configuration mode and returns to QoS policy-map configuration mode.

     
    Step 13 class name


    Example:
    Device(config-pmap)# class class-default
     

    Associates the map class with a specified data-link connection identifier (DLCI).

     
    Step 14end


    Example:
    Device(config-pmap)# end 
     

    Exits QoS policy-map configuration mode and returns to privileged EXEC mode.

     

    Configuring a Zone and Zone Pair for a TCP Window Scaling

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    interface type number

      4.    ip address ip-address

      5.    zone-member security security-zone-name

      6.    exit

      7.    interface type number

      8.    ip address ip-address

      9.    zone-member security security-zone-name

      10.    end


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example:
      Device> enable 
       
      Enables privileged EXEC mode.
      • Enter your password if prompted.
       
      Step 2 configure terminal


      Example:
      Device# configure terminal 
       

      Enters global configuration mode.

       
      Step 3 interface type number


      Example:
      Device(config)# interface GigabitEthernet 0/1/5
       

      Specifies an interface and enters interface configuration mode.

       
      Step 4 ip address ip-address


      Example:
      Device(config-if)# ip address 10.1.1.1 255.255.255.0
       

      Assigns an interface IP address.

       
      Step 5 zone-member security security-zone-name


      Example:
      Device(config-if)# zone-member security private
       

      Configures the interface as a zone member.

       
      Step 6 exit


      Example:
      Device(config-if)# exit
       

      Exits interface configuration mode and returns to global configuration mode.

       
      Step 7 interface type number


      Example:
      Device(config)# interface GigabitEthernet 0/1/6
       

      Specifies an interface and enters interface configuration mode.

       
      Step 8 ip address ip-address


      Example:
      Device(config-if)# ip address 209.165.200.225 255.255.255.0
       

      Assigns an IP address to an interface.

       
      Step 9 zone-member security security-zone-name


      Example:
      Device(config-if)# zone-member security internet
       

      Configures an interface as a zone member.

       
      Step 10 end


      Example:
      Device(config-if)# end
       

      Exits interface configuration mode and returns to privileged EXEC mode.

       

      Configuration Examples for TCP Window-Scaling

      Example: Configuring the TCP Window-Scaling Option for a Firewall

      Device> enable
      Device# configure terminal
      Device(config)# parameter-map type inspect pmap-fw
      Device(config-profile)# tcp window-scale-enforcement loose
      Device(config-profile)# exit 
      Device(config)# class-map type inspect match-any internet-traffic-class
      Device(config-cmap)# match protocol tcp
      Device(config-cmap)# exit
      Device(config)# policy-map type inspect private-internet-policy
      Device(config-pmap)# class type inspect internet-traffic-class
      Device(config-pmap-c)# inspect pmap-fw
      Device(config-pmap-c)#exit 
      Device(config-pmap)# class class-default
      Device(config-pmap)#end
      

      Example: Configuring a Zone and Zone Pair for TCP Window Scaling

      Device# enable
      Device# configure terminal
      Device(config)# interface GigabitEthernet 0/1/5
      Device(config-if)# ip address 10.1.1.1 255.255.255.0
      Device(config-if)# zone-member security private
      Device(config-if)# exit
      Device(config)# interface GigabitEthernet 0/1/6
      Device(config-if)# ip address 209.165.200.225 255.255.255.0
      Device(config-if)# zone-member security internet
      Device(config-if)# end
      
      

      Feature Information for Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall

      The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

      Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

      Table 1 Feature Information for Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall

      Feature Name

      Releases

      Feature Information

      Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall

      Cisco IOS XE Release 3.10S

      Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall feature disables the strict checking of the TCP Window Scaling option in an IOS-XE firewall.

      The following command was introduced or modified: tcp window-scale-enforcement loose.

      In Cisco IOS XE Release 3.10S, support was added for the Cisco CSR 1000V Series Routers.