Flexible Packet Matching Examples

Flexible Packet Matching is one of those new technologies that is certainly fair game on the CCIE Security exam.  I’m sure if there are any questions in the lab, the gear would have the correct IOS to work properly with what is being asked.  However due to the somewhat unstable nature of this technology, it is difficult to lab.  Unfortunately, I keep thinking I understand FPM, but then something just doesn’t work as expected.  Sometimes my issues are with the buggy software, sometimes it’s my configuration.  Anyway, there are a lot of potential areas for problems.  I have worked through many scenarios of my own design.  I decided to post some of the examples that I have created and that I believe to work properly on 12.4(15)T. 

FPM Examples (//=comment)

//block all fragments
//this could be a service policy

//inside another policy type access control

//something that matches just ICMP (or any other protocol)

class-map type access-control match-any FRAGMENTS
//IP Flags  = 3 bits (abc)
//a=unused
//b=dont fragmet
//c=more fragments
//this matches the first packet (but not the last)
match field IP flags eq 0x1 mask 0x6
//this would not match the first fragment
//of a chain
match field IP fragment-offset gt 0

policy-map type access-control FRAGMENTS
class FRAGMENTS
drop

interface
service-policy type access-control input FRAGMENTS

//drop telnet to a single IP

class-map type access-control match-all TNTOHOST
match field IP dest-addr eq 192.168.30.2
match field TCP dest-port eq 23

policy-map type access-control TNTOHOST
class TNTOHOST
drop

class-map type stack match-all TCP
match field IP protocol eq 6 next TCP

policy-map type access-control TCP
class TCP
service-policy TNTOHOST

interface
service-policy type access-control input TCP

//block all ICMP

class-map type stack match-all ICMP
match field IP protocol eq 1 next ICMP

policy-map type access-control ICMP
class ICMP
drop

interface
service-policy type access-control input ICMP

//just drop ICMPECHO

class-map type access-control match-all ICMPECHO
match field ICMP type eq 8

policy-map type access-control ICMPECHO
class ICMPECHO
drop

class-map type stack match-all ICMP
match field IP protocol eq 1 next ICMP

policy-map type access-control ICMP
class ICMP
service-policy ICMPECHO

interface
service-policy type access-control input ICMP

//drop icmp over 1000

class-map type access-control match-all BIGIP
match field IP length gt 1000

policy-map type access-control BIGIP
class BIGIP
drop

class-map type stack match-all ICMP
match field IP protocol eq 1 next IP

policy-map type access-control ICMP
class ICMP
service-policy BIGIP

interface
service-policy type access-control input ICMP

//this works as long as not fragmented

class-map type access-control match-all BIGIP
match field IP length gt 1499

policy-map type access-control BIGIP
class BIGIP
drop

class-map type stack match-all ICMP
match field IP protocol eq 1 next IP

policy-map type access-control ICMP
class ICMP
service-policy BIGIP

interface
service-policy type access-control input ICMP

//this never works on ethernet

class-map type access-control match-all BIGIP
match field IP length gt 1500

policy-map type access-control BIGIP
class BIGIP
drop

class-map type stack match-all ICMP
match field IP protocol eq 1 next IP

policy-map type access-control ICMP
class ICMP
service-policy BIGIP

interface
service-policy type access-control input ICMP

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in Career. Bookmark the permalink.

One Response to Flexible Packet Matching Examples

  1. Kamil says:

    HI Paul,

    For:

    ====================================
    //drop icmp over 1000

    class-map type access-control match-all BIGIP
    match field IP length gt 1000

    policy-map type access-control BIGIP
    class BIGIP
    drop

    class-map type stack match-all ICMP
    match field IP protocol eq 1 next IP

    policy-map type access-control ICMP
    class ICMP
    service-policy BIGIP

    interface
    service-policy type access-control input ICMP
    =====================================

    should not be there:

    ===============================
    class-map type stack match-all ICMP
    match field IP protocol eq 1 next ICMP
    ===============================

    ?

    Great blog BTW.

    Thanks.

    Kamil.

Comments are closed.