Hi guys, Does anybody have a clear understanding of how OOO packets are handled by the IOS firewall (CBAC and ZBF)? I have found a lot of contradictory information about this topic on the cisco site, and I'm getting confused.
CBAC According to my understanding in case of CBAC OOO packets are dropped by default. However if we configure L7 inspection for a certain protocol then OOO packet support kicks in for that particular protocol. That means that a copy of the out-of-order packets will be copied into the buffer while the original packet will be transmitted to the destination as it is. No reordering. Once the missing sequence arrives the firewall will fill the hole and will do the firewall logic and the result will be a new session. With the "ip inspect tcp reassembly queue lenght 0" I can disable the OOO packet processing. So even the L7 inspected packets are going to be dropped if they are OOO. Zone based firewall "OoO packets are dropped when IPS and zone-based policy firewall with L4 inspection are enabled." According to this sentence OOO are treated in the same way as in case of CBAC, however the same config guide later on says: "In Cisco IOS Release 12.4(15)T, OoO processing was enabled for zone-based firewall and for IPS shared sessions with Layer 4 match (match protocol TCP, match protocol http), and for any TCP-based Layer 7 packet ordering." >From this one I understand that OOO processing works for L4 inspected packets as well eg for any TCP traffic. http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/12-4t/sec-zone-pol-fw.html#GUID-CA37F2B4-CA9D-44DD-9B27-C9C235C4D4DE Thank you for your comments! Oszkar
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
