By default, CBAC support OoO. check out the following snippet. router#sh ip inspect all Dropped packet logging is enabled Session audit trail is disabled Session alert is enabled one-minute (sampling period) thresholds are [unlimited : unlimited] connections max-incomplete sessions thresholds are [unlimited : unlimited] max-incomplete tcp connections per host is unlimited. Block-time 0 minute. tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec tcp idle-time is 3600 sec -- udp idle-time is 30 sec *tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes *
In 12.4(15)T, ZFW doesn't have the parameter map to configure OoO. And I guess, it supports it. With regards Kings On Tue, Mar 13, 2012 at 11:02 AM, Imre Oszkar <[email protected]> wrote: > Hi guys, > > Does anybody have a clear understanding of how OOO packets are handled by > the IOS firewall (CBAC and ZBF)? > I have found a lot of contradictory information about this topic on the > cisco site, and I'm getting confused. > > CBAC > > According to my understanding in case of CBAC OOO packets are dropped by > default. However if we configure L7 inspection for a certain protocol then > OOO packet support kicks in for that particular protocol. That means that a > copy of the out-of-order packets will be copied into the buffer while the > original packet will be transmitted to the destination as it is. No > reordering. Once the missing sequence arrives the firewall will fill the > hole and will do the firewall logic and the result will be a new session. > > With the "ip inspect tcp reassembly queue lenght 0" I can disable the OOO > packet processing. So even the L7 inspected packets are going to be dropped > if they are OOO. > > > Zone based firewall > > "OoO packets are dropped when IPS and zone-based policy firewall with L4 > inspection are enabled." > According to this sentence OOO are treated in the same way as in case of > CBAC, however the same config guide later on says: > > "In Cisco IOS Release 12.4(15)T, OoO processing was enabled for zone-based > firewall and for IPS shared sessions with Layer 4 match (match protocol > TCP, match protocol http), and for any TCP-based Layer 7 packet ordering." > From this one I understand that OOO processing works for L4 inspected > packets as well eg for any TCP traffic. > > > http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/12-4t/sec-zone-pol-fw.html#GUID-CA37F2B4-CA9D-44DD-9B27-C9C235C4D4DE > > > > Thank you for your comments! > Oszkar > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
