Configuring a Connection Parameter Map for TCP/IP Normalization and Termination
Configuring How the ACE Handles TCP SYN Segments that
Contain Data
Configuring How the ACE Handles TCP Options
Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide
4-20
Chapter 4
Occasionally, the ACE may receive a TCP SYN segment that contains data. You
can configure the ACE to either discard the segment or flag the segment for data
processing. To set the ACE behavior for SYN segments with data, use the
syn-data command in parameter map connection configuration mode. The syntax
of this command is as follows:
syn-data {allow | drop}
The keywords are as follows:
•
allow—(Default) Permits the SYN segments that contain data and marks
them for data processing
drop—Discards the SYN segments that contain data
•
For example, to discard SYN segments that contain data, enter:
host1/C1(config-parammap-conn)# syn-data drop
To reset the ACE behavior to the default of allowing SYN segments that contain
data, enter:
host1/C1(config-parammap-conn)# no syn-data drop
The ACE permits you to allow or clear the following explicitly supported TCP
options specified in a SYN segment:
Selective Acknowledgement (SACK)
•
•
Time stamp
Window Scale
•
You can also specify a range of TCP option numbers for those TCP options not
explicitly supported by the ACE. To configure TCP options, use the tcp-options
command in parameter map connection configuration mode. The syntax of this
command is as follows:
tcp-options {range number1 number2 {allow | drop}} | {selective-ack |
timestamp | window-scale} {allow | clear | drop}
Configuring TCP/IP Normalization and IP Reassembly Parameters
OL-16202-01