TMS zl Management and Configuration Guide ST.1.2.100916

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

331

332

333

334

335

336

337

338

339

340

4-24

Firewall

Firewall Access Policies

An access policy applies an action to selected traffic:

■ Permit—Permit the traffic

■ Deny—Drop the traffic

When an access policy permits traffic, it can also apply the following access

controls:

■ Rate

You can impose rate limits on unicast access policies.

■ TCP MSS

When you set this value (available only for unicast access policies), the

TMS zl Module forces the device involved in the connection to use the

specified maximum segment size (MSS). The MSS determines the maxi-

mum size for TCP data in each packet.

Generally, devices can set their MSS on their own. Typically, they set the

MSS to the maximum transmit unit (MTU) of the outgoing interface minus

40 bytes (the length of a standard IP and TCP header). For example, in an

Ethernet network, devices typically set the MSS to 1460. For most traffic,

this MSS works well, so you do not need to configure this setting.

However, sometimes the TMS zl Module adds header bytes to traffic sent

over a connection, causing the final packet to become larger than

expected. For example, when the TMS zl Module sends traffic over a GRE

tunnel, it adds a GRE header and a delivery IP header to the original TCP

data, TCP header, and IP header. Similarly, IPsec adds headers to the

original traffic. Now the packet might be large enough to exceed the MTU

on one of the devices in the path to the final destination.

The device with the MTU smaller than the packet can only fragment and

transmit the packet if its don’t fragment bit is not set. Several devices in

the path can set the don’t fragment bit, so you cannot always predict

whether this bit will be set or not. If it is, the packet must be dropped,

disrupting the connection. Although the device that drops the packet can

send an ICMP packet to request a resend, ICMP packets are often dropped

by firewalls and never reach their destination. In short, it is best to ensure

that the MTU is not exceeded.

You can do so by forcing the MSS for the connection to be small enough

that any additional headers added by the TMS zl Module do not cause the

frame to exceed the MTU.

Table 4-3 gives guidelines for situations in which you should set the TCP

MSS. It also suggests the value to which you should set the MSS based on

the common MTU of 1500. For example, you should set the MSS for traffic

that will be sent over a GRE tunnel no higher than 1436 (1500 bytes minus