Hi Piotr,
Thanks for the idea! Seems that it should work, but for some reason I
cannot see any OOO packet.
I set up the following scenario:
1. unequal path between the source (BB1) and the destination (server). BB1
is doing per-packet load balancing.
2. Outbound rate limiter on R4
|----R4---R1----\
|BB1|----| -----R3----R5---|SERVER|
|-----------R2----/
Per packet load-balaning:
BB1#traceroute 136.1.122.100 (Server)
Type escape sequence to abort.
Tracing the route to 136.1.122.100
1 10.5.8.2 4 msec
10.5.8.4 0 msec
10.5.8.2 4 msec
2 10.5.9.1 0 msec
10.5.11.3 4 msec
10.5.9.1 0 msec
3 136.1.121.5 4 msec
10.5.10.3 0 msec
136.1.121.5 0 msec
4 136.1.121.5 4 msec
136.1.122.100 0 msec
136.1.121.5 0 msec
On R4 I have outbound rate-limiter which is heavily dropping packets.
R4#sh interfaces rate-limit
FastEthernet0/0
Output
matches: all traffic
params: 8000 bps, 1500 limit, 2000 extended limit
conformed 1286 packets, 72962 bytes; action: transmit
exceeded 12008 packets, 649782 bytes; action: drop
last packet: 1680ms ago, current burst: 0 bytes
last cleared 00:11:14 ago, conformed 0 bps, exceeded 7000 bps
I'm doing FTP file transfer between the Server and BB1 and I'm running
wireshark on the Server. Wireshark doesn't report a single OOO
packet. There is nothing enabled on the routers between BB1 and Server that
would cause packet reassembling.
Do I miss something here? Can you help me out?
Thanks,
Oszkar
On Wed, Mar 14, 2012 at 10:08 AM, Piotr Matusiak <[email protected]> wrote:
> Hi,
>
> CBAC does reassembly for all packets not only those subjected to DPI. I'm
> not sure about packet copy tho.
> For ZBF you must have at least 15.0 to make OOO packets work. It does not
> work for 12.4T.
>
> You can generate OOO packets by trying to setup unequal path to the
> destination and involve some rate-limiting on one leg. Then configure CEF
> per-packet load balancing and you'll see packets going through two paths
> being OOO at the destination.
>
> Regards,
> Piotr
>
>
> 2012/3/14 Imre Oszkar <[email protected]>
>
>> Hi Kings,
>>
>> I'm familiar with that output, but that doesn't really answer any of my
>> questions.
>>
>> CBAC:
>> 1. is it true that OOO reassembly works only for packets that requires
>> application inspection (DPI). If no appfw is configured OOO packets are
>> dropped.
>> 2. is it true that the packets reaching the destination will be still
>> OOO. (so all the reordering happens on a copy of the packet not the
>> original packet)
>>
>> ZBF:
>> 1. in case of ZBF is it enough to configure L4 inspection (match
>> protocol TCP) in order to kick in the reassembly for the OOO packets?
>>
>> Nothing comes in my mind how can I generate OOO packets in a lab
>> environment to test all these, so if somebody could give me an idea that
>> would be wonderful.
>>
>> Thanks,
>> Oszkar
>>
>>
>> On Wed, Mar 14, 2012 at 1:24 AM, Kingsley Charles <
>> [email protected]> wrote:
>>
>>> By default, CBAC support OoO. check out the following snippet.
>>>
>>> router#sh ip inspect all
>>> Dropped packet logging is enabled
>>> Session audit trail is disabled
>>> Session alert is enabled
>>> one-minute (sampling period) thresholds are [unlimited : unlimited]
>>> connections
>>> max-incomplete sessions thresholds are [unlimited : unlimited]
>>> max-incomplete tcp connections per host is unlimited. Block-time 0
>>> minute.
>>> tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
>>> tcp idle-time is 3600 sec -- udp idle-time is 30 sec
>>> *tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo
>>> bytes*
>>>
>>> In 12.4(15)T, ZFW doesn't have the parameter map to configure OoO. And I
>>> guess, it supports it.
>>>
>>> With regards
>>> Kings
>>>
>>> On Tue, Mar 13, 2012 at 11:02 AM, Imre Oszkar <[email protected]> wrote:
>>>
>>>> Hi guys,
>>>>
>>>> Does anybody have a clear understanding of how OOO packets are handled
>>>> by the IOS firewall (CBAC and ZBF)?
>>>> I have found a lot of contradictory information about this topic on
>>>> the cisco site, and I'm getting confused.
>>>>
>>>> CBAC
>>>>
>>>> According to my understanding in case of CBAC OOO packets are dropped
>>>> by default. However if we configure L7 inspection for a certain protocol
>>>> then OOO packet support kicks in for that particular protocol. That means
>>>> that a copy of the out-of-order packets will be copied into the buffer
>>>> while the original packet will be transmitted to the destination as it is.
>>>> No reordering. Once the missing sequence arrives the firewall will fill the
>>>> hole and will do the firewall logic and the result will be a new session.
>>>>
>>>> With the "ip inspect tcp reassembly queue lenght 0" I can disable the
>>>> OOO packet processing. So even the L7 inspected packets are going to be
>>>> dropped if they are OOO.
>>>>
>>>>
>>>> Zone based firewall
>>>>
>>>> "OoO packets are dropped when IPS and zone-based policy firewall with
>>>> L4 inspection are enabled."
>>>> According to this sentence OOO are treated in the same way as in case
>>>> of CBAC, however the same config guide later on says:
>>>>
>>>> "In Cisco IOS Release 12.4(15)T, OoO processing was enabled for
>>>> zone-based firewall and for IPS shared sessions with Layer 4 match (match
>>>> protocol TCP, match protocol http), and for any TCP-based Layer 7 packet
>>>> ordering."
>>>> From this one I understand that OOO processing works for L4 inspected
>>>> packets as well eg for any TCP traffic.
>>>>
>>>>
>>>> http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/12-4t/sec-zone-pol-fw.html#GUID-CA37F2B4-CA9D-44DD-9B27-C9C235C4D4DE
>>>>
>>>>
>>>>
>>>> Thank you for your comments!
>>>> Oszkar
>>>>
>>>> _______________________________________________
>>>> For more information regarding industry leading CCIE Lab training,
>>>> please visit www.ipexpert.com
>>>>
>>>> Are you a CCNP or CCIE and looking for a job? Check out
>>>> www.PlatinumPlacement.com
>>>>
>>>
>>>
>>
>> _______________________________________________
>> For more information regarding industry leading CCIE Lab training, please
>> visit www.ipexpert.com
>>
>> Are you a CCNP or CCIE and looking for a job? Check out
>> www.PlatinumPlacement.com
>>
>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
