can you paste config from BB1 and it's RIB?
2012/3/16 Imre Oszkar <[email protected]> > > Hi Piotr, > > Thanks for the idea! Seems that it should work, but for some reason I > cannot see any OOO packet. > > I set up the following scenario: > 1. unequal path between the source (BB1) and the destination (server). > BB1 is doing per-packet load balancing. > 2. Outbound rate limiter on R4 > > > > |----R4---R1----\ > |BB1|----| -----R3----R5---|SERVER| > |-----------R2----/ > > > Per packet load-balaning: > > BB1#traceroute 136.1.122.100 (Server) > > Type escape sequence to abort. > Tracing the route to 136.1.122.100 > > 1 10.5.8.2 4 msec > 10.5.8.4 0 msec > 10.5.8.2 4 msec > 2 10.5.9.1 0 msec > 10.5.11.3 4 msec > 10.5.9.1 0 msec > 3 136.1.121.5 4 msec > 10.5.10.3 0 msec > 136.1.121.5 0 msec > 4 136.1.121.5 4 msec > 136.1.122.100 0 msec > 136.1.121.5 0 msec > > > On R4 I have outbound rate-limiter which is heavily dropping packets. > > R4#sh interfaces rate-limit > FastEthernet0/0 > Output > matches: all traffic > params: 8000 bps, 1500 limit, 2000 extended limit > conformed 1286 packets, 72962 bytes; action: transmit > exceeded 12008 packets, 649782 bytes; action: drop > last packet: 1680ms ago, current burst: 0 bytes > last cleared 00:11:14 ago, conformed 0 bps, exceeded 7000 bps > > > I'm doing FTP file transfer between the Server and BB1 and I'm running > wireshark on the Server. Wireshark doesn't report a single OOO > packet. There is nothing enabled on the routers between BB1 and Server that > would cause packet reassembling. > > Do I miss something here? Can you help me out? > > Thanks, > Oszkar > > > On Wed, Mar 14, 2012 at 10:08 AM, Piotr Matusiak <[email protected]> wrote: > >> Hi, >> >> CBAC does reassembly for all packets not only those subjected to DPI. I'm >> not sure about packet copy tho. >> For ZBF you must have at least 15.0 to make OOO packets work. It does not >> work for 12.4T. >> >> You can generate OOO packets by trying to setup unequal path to the >> destination and involve some rate-limiting on one leg. Then configure CEF >> per-packet load balancing and you'll see packets going through two paths >> being OOO at the destination. >> >> Regards, >> Piotr >> >> >> 2012/3/14 Imre Oszkar <[email protected]> >> >>> Hi Kings, >>> >>> I'm familiar with that output, but that doesn't really answer any of my >>> questions. >>> >>> CBAC: >>> 1. is it true that OOO reassembly works only for packets that requires >>> application inspection (DPI). If no appfw is configured OOO packets are >>> dropped. >>> 2. is it true that the packets reaching the destination will be still >>> OOO. (so all the reordering happens on a copy of the packet not the >>> original packet) >>> >>> ZBF: >>> 1. in case of ZBF is it enough to configure L4 inspection (match >>> protocol TCP) in order to kick in the reassembly for the OOO packets? >>> >>> Nothing comes in my mind how can I generate OOO packets in a lab >>> environment to test all these, so if somebody could give me an idea that >>> would be wonderful. >>> >>> Thanks, >>> Oszkar >>> >>> >>> On Wed, Mar 14, 2012 at 1:24 AM, Kingsley Charles < >>> [email protected]> wrote: >>> >>>> By default, CBAC support OoO. check out the following snippet. >>>> >>>> router#sh ip inspect all >>>> Dropped packet logging is enabled >>>> Session audit trail is disabled >>>> Session alert is enabled >>>> one-minute (sampling period) thresholds are [unlimited : unlimited] >>>> connections >>>> max-incomplete sessions thresholds are [unlimited : unlimited] >>>> max-incomplete tcp connections per host is unlimited. Block-time 0 >>>> minute. >>>> tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec >>>> tcp idle-time is 3600 sec -- udp idle-time is 30 sec >>>> *tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo >>>> bytes* >>>> >>>> In 12.4(15)T, ZFW doesn't have the parameter map to configure OoO. And >>>> I guess, it supports it. >>>> >>>> With regards >>>> Kings >>>> >>>> On Tue, Mar 13, 2012 at 11:02 AM, Imre Oszkar <[email protected]>wrote: >>>> >>>>> Hi guys, >>>>> >>>>> Does anybody have a clear understanding of how OOO packets are handled >>>>> by the IOS firewall (CBAC and ZBF)? >>>>> I have found a lot of contradictory information about this topic on >>>>> the cisco site, and I'm getting confused. >>>>> >>>>> CBAC >>>>> >>>>> According to my understanding in case of CBAC OOO packets are dropped >>>>> by default. However if we configure L7 inspection for a certain protocol >>>>> then OOO packet support kicks in for that particular protocol. That means >>>>> that a copy of the out-of-order packets will be copied into the buffer >>>>> while the original packet will be transmitted to the destination as it is. >>>>> No reordering. Once the missing sequence arrives the firewall will fill >>>>> the >>>>> hole and will do the firewall logic and the result will be a new session. >>>>> >>>>> With the "ip inspect tcp reassembly queue lenght 0" I can disable the >>>>> OOO packet processing. So even the L7 inspected packets are going to be >>>>> dropped if they are OOO. >>>>> >>>>> >>>>> Zone based firewall >>>>> >>>>> "OoO packets are dropped when IPS and zone-based policy firewall with >>>>> L4 inspection are enabled." >>>>> According to this sentence OOO are treated in the same way as in case >>>>> of CBAC, however the same config guide later on says: >>>>> >>>>> "In Cisco IOS Release 12.4(15)T, OoO processing was enabled for >>>>> zone-based firewall and for IPS shared sessions with Layer 4 match (match >>>>> protocol TCP, match protocol http), and for any TCP-based Layer 7 packet >>>>> ordering." >>>>> From this one I understand that OOO processing works for L4 inspected >>>>> packets as well eg for any TCP traffic. >>>>> >>>>> >>>>> http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/12-4t/sec-zone-pol-fw.html#GUID-CA37F2B4-CA9D-44DD-9B27-C9C235C4D4DE >>>>> >>>>> >>>>> >>>>> Thank you for your comments! >>>>> Oszkar >>>>> >>>>> _______________________________________________ >>>>> For more information regarding industry leading CCIE Lab training, >>>>> please visit www.ipexpert.com >>>>> >>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>> www.PlatinumPlacement.com >>>>> >>>> >>>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, >>> please visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >>> >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
