Security and VPN Configuration Guide, Cisco IOS XE 17.x

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents

Find Matches in This Book

Results

Updated:: January 11, 2021

Chapter: Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall

Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall
Information About Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall
- Loose Checking Option for TCP Window Scaling Overview
How to Configure Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall
- Configuring the TCP Window-Scaling Option for a Firewall
- Configuring a Zone and Zone Pair for a TCP Window Scaling
Configuration Examples for TCP Window-Scaling
- Example: Configuring the TCP Window-Scaling Option for a Firewall
- Example: Configuring a Zone and Zone Pair for TCP Window Scaling
Feature Information for Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall

Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall

The Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall feature disables the strict checking of the TCP window-scaling option in a firewall.

Information About Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall

Loose Checking Option for TCP Window Scaling Overview

TCP provides various TCP extensions to improve performance over high-bandwidth and high-speed data paths. One such extension is the TCP window-scaling option. The loose-checking option for TCP window-scaling turns off strict checking of the window-scaling option described in RFC 1323.

A larger window size is recommended to improve TCP performance in network paths with large bandwidth-delay product characteristics that are called Long Fat Networks (LFNs). TCP window scaling expands the definition of the TCP window to 32 bits and then uses a scale factor to carry this 32-bit value in the 16-bit window field of the TCP header. The window size can increase to a scale factor of 14. Typical applications use a scale factor of 3 when deployed in LFNs.

A firewall implementation enforces strict checking of the TCP window-scaling option. A firewall drops SYN/ACK packets that have the TCP window-scaling option if it was not offered in the initial synchronization (SYN) packet for the TCP three-way handshake. The window-scale option is sent only in a SYN segment, which is a segment with the SYN bit on. Therefore, the window scale is fixed in each direction when a connection is opened.

Use the tcp window-scale-enforcement loose command to disable the strict checking of the TCP window-scaling option in TCP SYN segments.

How to Configure Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall

Configuring the TCP Window-Scaling Option for a Firewall

SUMMARY STEPS

enable
configure terminal
parameter-map type inspect {parameter-map-name | global | default}
tcp window-scale-enforcement loose
exit
class-map type inspect {match-any | match-all} class-map-name
match protocol [parameter-map] [signature]
exit
policy-map type inspect policy-map-name
class type inspect class-map-name
inspect [parameter-map-name]
exit
class name
end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 3	parameter-map type inspect {`parameter-map-name` \| global \| default} Example: `Device(config)# parameter-map type inspect pmap-fw`	Configures an inspect parameter map and enters profile configuration mode.
Step 4	tcp window-scale-enforcement loose Example: `Device(config-profile)# tcp window-scale-enforcement loose`	Disables the strict checking of the TCP window-scaling option in a firewall.
Step 5	exit Example: `Device(config-profile)# exit`	Exits profile configuration mode and returns to global configuration mode.
Step 6	class-map type inspect {match-any \| match-all} `class-map-name` Example: `Device(config)# class-map type inspect match-any internet-traffic-class`	Creates an inspect-type class map and enters QoS class-map configuration mode.
Step 7	match protocol [`parameter-map`] [signature] Example: `Device(config-cmap)# match protocol tcp`	Configures a match criteria for a class map on the basis of the specified protocol.
Step 8	exit Example: `Device(config-cmap)# exit`	Exits the QoS class-map configuration mode and returns to global configuration mode.
Step 9	policy-map type inspect `policy-map-name` Example: `Device(config)# policy-map type inspect private-internet-policy`	Creates an inspect-type policy map and enters QoS policy-map configuration mode.
Step 10	class type inspect `class-map-name` Example: `Device(config-pmap)# class type inspect internet-traffic-class`	Specifies the traffic class on which an action is to be performed and enters policy-map class configuration mode.
Step 11	inspect [`parameter-map-name`] Example: `Device(config-pmap-c)# inspect pmap-fw`	Enables stateful packet inspection.
Step 12	exit Example: `Device(config-pmap-c)# exit`	Exits QoS policy-map class configuration mode and returns to QoS policy-map configuration mode.
Step 13	class `name` Example: `Device(config-pmap)# class class-default`	Associates the map class with a specified data-link connection identifier (DLCI).
Step 14	end Example: `Device(config-pmap)# end`	Exits QoS policy-map configuration mode and returns to privileged EXEC mode.

Configuring a Zone and Zone Pair for a TCP Window Scaling

SUMMARY STEPS

enable
configure terminal
interface type number
ip address ip-address
zone-member security security-zone-name
exit
interface type number
ip address ip-address
zone-member security security-zone-name
end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 3	interface `type number` Example: `Device(config)# interface GigabitEthernet 0/1/5`	Specifies an interface and enters interface configuration mode.
Step 4	ip address `ip-address` Example: `Device(config-if)# ip address 10.1.1.1 255.255.255.0`	Assigns an interface IP address.
Step 5	zone-member security `security-zone-name` Example: `Device(config-if)# zone-member security private`	Configures the interface as a zone member.
Step 6	exit Example: `Device(config-if)# exit`	Exits interface configuration mode and returns to global configuration mode.
Step 7	interface `type number` Example: `Device(config)# interface GigabitEthernet 0/1/6`	Specifies an interface and enters interface configuration mode.
Step 8	ip address `ip-address` Example: `Device(config-if)# ip address 209.165.200.225 255.255.255.0`	Assigns an IP address to an interface.
Step 9	zone-member security `security-zone-name` Example: `Device(config-if)# zone-member security internet`	Configures an interface as a zone member.
Step 10	end Example: `Device(config-if)# end`	Exits interface configuration mode and returns to privileged EXEC mode.

Configuration Examples for TCP Window-Scaling

Example: Configuring the TCP Window-Scaling Option for a Firewall

Device> enable
Device# configure terminal
Device(config)# parameter-map type inspect pmap-fw
Device(config-profile)# tcp window-scale-enforcement loose
Device(config-profile)# exit 
Device(config)# class-map type inspect match-any internet-traffic-class
Device(config-cmap)# match protocol tcp
Device(config-cmap)# exit
Device(config)# policy-map type inspect private-internet-policy
Device(config-pmap)# class type inspect internet-traffic-class
Device(config-pmap-c)# inspect pmap-fw
Device(config-pmap-c)#exit 
Device(config-pmap)# class class-default
Device(config-pmap)#end

Example: Configuring a Zone and Zone Pair for TCP Window Scaling


Device# enable
Device# configure terminal
Device(config)# interface GigabitEthernet 0/1/5
Device(config-if)# ip address 10.1.1.1 255.255.255.0
Device(config-if)# zone-member security private
Device(config-if)# exit
Device(config)# interface GigabitEthernet 0/1/6
Device(config-if)# ip address 209.165.200.225 255.255.255.0
Device(config-if)# zone-member security internet
Device(config-if)# end

Feature Information for Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1. Feature Information for Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall
Feature Name	Releases	Feature Information
Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall	Cisco IOS XE Release 3.10S	Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall feature disables the strict checking of the TCP Window Scaling option in an IOS-XE firewall. The following command was introduced or modified: tcp window-scale-enforcement loose . In Cisco IOS XE Release 3.10S, support was added for the Cisco CSR 1000V Series Routers.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)