Chapter 4
Configuring TCP/IP Normalization and IP Reassembly Parameters
Configuring How the ACE Handles IP Options
OL-16202-01
ip df {clear | allow}
The keywords are as follows:
clear—Clears the DF bit and permits the packet. If the packet is larger than
•
the next-hop MTU, the ACE fragments the packet.
allow—Permits the packet with the DF bit set. If the packet is larger than the
•
next-hop MTU, the ACE discards the packet and sends an ICMP unreachable
message to the source host.
For example, to clear the DF bit and permit the packet, enter:
host1/C1(config-if)# ip df clear
To instruct the ACE to ignore the DF bit, enter:
host1/C1(config-if)# no ip df
The ACE can process IP options and perform specific actions when an IP option
is set in a packet. To configure how the ACE handles IP options, use the ip options
command in interface configuration mode. The syntax of this command is as
follows:
ip options {allow | clear | clear-invalid | drop}
The keywords are as follows:
•
allow—Allows the packet with IP options set
clear—Clears all IP options from the packet and allows the packet
•
clear-invalid—(Default) Clears all IP options from the packet if the ACE
•
encounters one or more invalid or unsupported IP options and allows the
packet
drop—Instructs the ACE to discard the packet regardless of any IP options
•
that are set
For example, enter:
host1/C1(config-if)# ip options allow
Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide
Configuring Interface Normalization Parameters
4-39