Hi Kings, I'm familiar with that output, but that doesn't really answer any of my questions.
CBAC: 1. is it true that OOO reassembly works only for packets that requires application inspection (DPI). If no appfw is configured OOO packets are dropped. 2. is it true that the packets reaching the destination will be still OOO. (so all the reordering happens on a copy of the packet not the original packet) ZBF: 1. in case of ZBF is it enough to configure L4 inspection (match protocol TCP) in order to kick in the reassembly for the OOO packets? Nothing comes in my mind how can I generate OOO packets in a lab environment to test all these, so if somebody could give me an idea that would be wonderful. Thanks, Oszkar On Wed, Mar 14, 2012 at 1:24 AM, Kingsley Charles < [email protected]> wrote: > By default, CBAC support OoO. check out the following snippet. > > router#sh ip inspect all > Dropped packet logging is enabled > Session audit trail is disabled > Session alert is enabled > one-minute (sampling period) thresholds are [unlimited : unlimited] > connections > max-incomplete sessions thresholds are [unlimited : unlimited] > max-incomplete tcp connections per host is unlimited. Block-time 0 minute. > tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec > tcp idle-time is 3600 sec -- udp idle-time is 30 sec > *tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo > bytes* > > In 12.4(15)T, ZFW doesn't have the parameter map to configure OoO. And I > guess, it supports it. > > With regards > Kings > > On Tue, Mar 13, 2012 at 11:02 AM, Imre Oszkar <[email protected]> wrote: > >> Hi guys, >> >> Does anybody have a clear understanding of how OOO packets are handled by >> the IOS firewall (CBAC and ZBF)? >> I have found a lot of contradictory information about this topic on the >> cisco site, and I'm getting confused. >> >> CBAC >> >> According to my understanding in case of CBAC OOO packets are dropped by >> default. However if we configure L7 inspection for a certain protocol then >> OOO packet support kicks in for that particular protocol. That means that a >> copy of the out-of-order packets will be copied into the buffer while the >> original packet will be transmitted to the destination as it is. No >> reordering. Once the missing sequence arrives the firewall will fill the >> hole and will do the firewall logic and the result will be a new session. >> >> With the "ip inspect tcp reassembly queue lenght 0" I can disable the >> OOO packet processing. So even the L7 inspected packets are going to be >> dropped if they are OOO. >> >> >> Zone based firewall >> >> "OoO packets are dropped when IPS and zone-based policy firewall with L4 >> inspection are enabled." >> According to this sentence OOO are treated in the same way as in case of >> CBAC, however the same config guide later on says: >> >> "In Cisco IOS Release 12.4(15)T, OoO processing was enabled for >> zone-based firewall and for IPS shared sessions with Layer 4 match (match >> protocol TCP, match protocol http), and for any TCP-based Layer 7 packet >> ordering." >> From this one I understand that OOO processing works for L4 inspected >> packets as well eg for any TCP traffic. >> >> >> http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/12-4t/sec-zone-pol-fw.html#GUID-CA37F2B4-CA9D-44DD-9B27-C9C235C4D4DE >> >> >> >> Thank you for your comments! >> Oszkar >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
