Flexible Packet Matching is one of those new technologies that is certainly fair game on the CCIE Security exam. I'm sure if there are any questions in the lab, the gear would have the correct IOS to work properly with what is being asked. However due to the somewhat unstable nature of this technology, it is difficult to lab. Unfortunately, I keep thinking I understand FPM, but then something just doesn't work as expected. Sometimes my issues are with the buggy software, sometimes it's my configuration. Anyway, there are a lot of potential areas for problems. I have worked through many scenarios of my own design. I decided to post some of the examples that I have created and that I believe to work properly on 12.4(15)T.
FPM Examples //block all fragments
//this could be a service policy //inside another policy type access control //something that matches just ICMP (or any other protocol) class-map type access-control match-any FRAGMENTS
//IP Flags = 3 bits (abc)
//a=unused
//b=dont fragmet
//c=more fragments
//this matches the first packet (but not the last)
match field IP flags eq 0x1 mask 0x6
//this would not match the first fragment
//of a chain
match field IP fragment-offset gt 0 policy-map type access-control FRAGMENTS
class FRAGMENTS
drop
interface
service-policy type access-control input FRAGMENTS
//drop telnet to a single IP
class-map type access-control match-all TNTOHOST
match field IP dest-addr eq 192.168.30.2
match field TCP dest-port eq 23 policy-map type access-control TNTOHOST
class TNTOHOST
drop
class-map type stack match-all TCP
match field IP protocol eq 6 next TCP policy-map type access-control TCP
class TCP
service-policy TNTOHOST
interface
service-policy type access-control input TCP
//block all ICMP
class-map type stack match-all ICMP
match field IP protocol eq 1 next ICMP policy-map type access-control ICMP
class ICMP
drop
interface
service-policy type access-control input ICMP
//just drop ICMPECHO
class-map type access-control match-all ICMPECHO
match field ICMP type eq 8 policy-map type access-control ICMPECHO
class ICMPECHO
drop
class-map type stack match-all ICMP
match field IP protocol eq 1 next ICMP policy-map type access-control ICMP
class ICMP
service-policy ICMPECHO
interface
service-policy type access-control input ICMP
//drop icmp over 1000
class-map type access-control match-all BIGIP
match field IP length gt 1000 policy-map type access-control BIGIP
class BIGIP
drop
class-map type stack match-all ICMP
match field IP protocol eq 1 next IP policy-map type access-control ICMP
class ICMP
service-policy BIGIP
interface
service-policy type access-control input ICMP
//this works as long as not fragmented
class-map type access-control match-all BIGIP
match field IP length gt 1499 policy-map type access-control BIGIP
class BIGIP
drop
class-map type stack match-all ICMP
match field IP protocol eq 1 next IP policy-map type access-control ICMP
class ICMP
service-policy BIGIP
interface
service-policy type access-control input ICMP
//this never works on ethernet
class-map type access-control match-all BIGIP
match field IP length gt 1500 policy-map type access-control BIGIP
class BIGIP
drop
class-map type stack match-all ICMP
match field IP protocol eq 1 next IP policy-map type access-control ICMP
class ICMP
service-policy BIGIP
interface
service-policy type access-control input ICMP If you found this document useful, please share it with your friends. If you have anything to add, please comment below.
|
