Hi Brandon, Thanks for the great post :-)
On 5/12/10, Brandon Carroll <[email protected]> wrote: > Also Check out this one: > > http://blog.ipexpert.com/2010/05/12/introduction-to-fpm/ > > > Regards, > > Brandon Carroll - CCIE #23837 > Senior Technical Instructor - IPexpert > Mailto: [email protected] > Telephone: +1.810.326.1444 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > Platinum Solutions Group (PSG) provides high-end consulting services with a > primary emphasis on Cisco's Data Center Solutions, Service Provider > Solutions, Unified Communications and Security-enabled infrastructures. Be > sure to visit www.platinumsolutionsgroup.com. > > > > On May 12, 2010, at 1:12 PM, Sumit Mahla wrote: > >> Nice document.... >> >> >> So if i have to check that the packet is fragment or not.... then in that >> case next ip would be used regardless of the layer 4 protocol(tcp/udp)... >> because flag field and fragment offset field are part of IP header... >> >> class-map type stack FRAG >> match field ip procotol eq 0x1 next ip >> >> class-map type access-control match-any FRAG-IP >> match field ip fragment-offset gt 0 >> match field ip flag eq 1 mask 6 >> >> so these two class-map apart from the two other respective policy-map >> would be required if the condition is to drop fragment packet... we do not >> need to care about any other protocol.... Am i right ? >> >> If specifically asked to match any port number in the packet like tcp port >> 444 then it would be next tcp.... >> >> Am i right ? >> >> >> >> >> >> > Date: Wed, 12 May 2010 12:00:37 +0100 >> > Subject: Re: [OSL | CCIE_Security] FPM >> > From: [email protected] >> > To: [email protected] >> > CC: [email protected] >> > >> > Hi Summit, the next protocol field is used to identify the next layer. >> > If we want to match an IP-in-IP packet we would use next ip. >> > >> > There is a good post here (Its from another vendor but its okay) >> > >> > http://blog.ine.com/2009/06/14/understanding-flexible-packet-matching/ >> > >> > HTH, >> > >> > On 5/12/10, Sumit Mahla <[email protected]> wrote: >> > > >> > > Hello All, >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > i have a small confusion.... >> > > >> > > >> > > >> > > when we use below mentioned command in FPM.... >> > > >> > > >> > > >> > > class-map type stack match-all FRAGMENT >> > > >> > > match field ip protocol eq 0x1 next icmp >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > sometimes we use next icmp and some time we use next ip. i know next >> > > icmp >> > > means that we are going to check fragmented packet for icmp >> > > protocol.... if >> > > we are checking fragmented packet for tcp then we would use next >> > > tcp.... >> > > >> > > >> > > >> > > but is there a specific reason to use next ip ? >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > Regards >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > _________________________________________________________________ >> > > Catch the latest in the world of fashion >> > > http://lifestyle.in.msn.com/ >> > >> > >> > -- >> > Best Regards, >> > >> > Tolulope. >> >> The latest auto launches and test drives Drag n' drop >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com > > -- Best Regards, Tolulope. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
