Also Check out this one: http://blog.ipexpert.com/2010/05/12/introduction-to-fpm/
Regards, Brandon Carroll - CCIE #23837 Senior Technical Instructor - IPexpert Mailto: [email protected] Telephone: +1.810.326.1444 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com Platinum Solutions Group (PSG) provides high-end consulting services with a primary emphasis on Cisco's Data Center Solutions, Service Provider Solutions, Unified Communications and Security-enabled infrastructures. Be sure to visit www.platinumsolutionsgroup.com. On May 12, 2010, at 1:12 PM, Sumit Mahla wrote: > Nice document.... > > > So if i have to check that the packet is fragment or not.... then in that > case next ip would be used regardless of the layer 4 protocol(tcp/udp)... > because flag field and fragment offset field are part of IP header... > > class-map type stack FRAG > match field ip procotol eq 0x1 next ip > > class-map type access-control match-any FRAG-IP > match field ip fragment-offset gt 0 > match field ip flag eq 1 mask 6 > > so these two class-map apart from the two other respective policy-map would > be required if the condition is to drop fragment packet... we do not need to > care about any other protocol.... Am i right ? > > If specifically asked to match any port number in the packet like tcp port > 444 then it would be next tcp.... > > Am i right ? > > > > > > > Date: Wed, 12 May 2010 12:00:37 +0100 > > Subject: Re: [OSL | CCIE_Security] FPM > > From: [email protected] > > To: [email protected] > > CC: [email protected] > > > > Hi Summit, the next protocol field is used to identify the next layer. > > If we want to match an IP-in-IP packet we would use next ip. > > > > There is a good post here (Its from another vendor but its okay) > > > > http://blog.ine.com/2009/06/14/understanding-flexible-packet-matching/ > > > > HTH, > > > > On 5/12/10, Sumit Mahla <[email protected]> wrote: > > > > > > Hello All, > > > > > > > > > > > > > > > > > > > > > > > > i have a small confusion.... > > > > > > > > > > > > when we use below mentioned command in FPM.... > > > > > > > > > > > > class-map type stack match-all FRAGMENT > > > > > > match field ip protocol eq 0x1 next icmp > > > > > > > > > > > > > > > > > > > > > > > > sometimes we use next icmp and some time we use next ip. i know next icmp > > > means that we are going to check fragmented packet for icmp protocol.... > > > if > > > we are checking fragmented packet for tcp then we would use next tcp.... > > > > > > > > > > > > but is there a specific reason to use next ip ? > > > > > > > > > > > > > > > > > > > > > > > > Regards > > > > > > > > > > > > > > > > > > > > > > > > _________________________________________________________________ > > > Catch the latest in the world of fashion > > > http://lifestyle.in.msn.com/ > > > > > > -- > > Best Regards, > > > > Tolulope. > > The latest auto launches and test drives Drag n' drop > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
