Manualshelf

TMS zl Management and Configuration Guide ST.1.1.100430

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
81828384858687888990
1-46
Overview
Firewall
If a packet matches a policy but the packet arrives at a time when the policy
is inoperable, the packet is dropped. If an access policy does not have a
schedule, the policy applies it at all times.
Caution The TMS zl Module derives its time information from the host switch. If the
time and date are not correct on the switch, scheduled access policies will not
be properly applied.
For example, suppose you have configured these External-to-Internal access
policies:
Permit all external devices access to the internal HTTP server. The policy
does not specify a schedule object.
Permit all external devices access to the internal FTP server. The policy’s
schedule object specifies every day except Sunday.
With this configuration, external users can access the HTTP server at any time.
They can access the FTP server on any day except Sunday.
TCP MSS. When you set this value, the TMS zl Module forces the device
involved in the connection to use the specified maximum segment size (MSS).
The MSS determines the maximum size for TCP data in each packet.
Generally, devices can set their MSS on their own. Typically, they set the MSS
to the maximum transmit unit (MTU) of the outgoing interface minus 40 bytes
(the length of a standard IP and TCP header). For example, in an Ethernet
network, devices typically set the MSS to 1460. For most traffic, this MSS
works well, so you do not need to configure this setting.
However, sometimes the TMS zl Module adds header bytes to traffic sent over
a connection, causing the final packet to become larger than expected. For
example, when the TMS zl Module sends traffic over a GRE tunnel, it adds a
GRE header and a delivery IP header to the original TCP data, TCP header,
and IP header. Similarly, IPsec adds headers to the original traffic. Now the
packet might be large enough to exceed the MTU on one of the devices in the
path to the final destination.
The device with the MTU smaller than the packet can only fragment and
transmit the packet if its don’t fragment bit is not set. Several devices in the
path can set the don’t fragment bit, so you cannot always predict whether this
bit will be set or not. If it is, the packet must be dropped, disrupting the
connection. Although the device that drops the packet can send an ICMP
packet to request a resend, ICMP packets are often dropped by firewalls and
never reach their destination. In short, it is best to ensure that the MTU is not
exceeded.