Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Question on ACL

Hi,

Is there a way to track TCP options (e.g.MSS) using an ACL.

2 REPLIES
Hall of Fame Super Silver

Re: Question on ACL

Hello Ranil,

MSS is a parameter that is negotiated by the two endpoints during TCP setup I think this would require deep packet inspection like in a stateful firewall or at least IOS feature set.

If you want to troubleshoot a TCP session with a router you can use the debug tcp command.

ACLs allow for the keyword established that check the SYN flag.

Hope to help

Giuseppe

Community Member

Re: Question on ACL

Hi Giuseppe,

Thanks a lot for the confirmation. I was thinking of stateful inspection too.

And I've tried already with TCP flags which doesn't say much about it's options.

Wouldn't want to enable debug TCP also, as it will be quite resource intensive. Perhaps, with an ACL it'd try debugging IP packets.

Other choice would be to export IP traffic(ip traffic-export) and analyze on the fly. What is your experience with regard to ip traffic-export? Haven't used it so far and would like to have some thoughts.

Many thanks,

94
Views
5
Helpful
2
Replies
CreatePlease to create content