Hi Piotr,
Here is the related config from BB1 and the full RIB and FIB table.
interface FastEthernet0/1
ip vrf forwarding lab
ip address 10.5.8.11 255.255.255.0
ip load-sharing per-packet
ip pim sparse-mode
ip route vrf lab 0.0.0.0 0.0.0.0 10.5.8.2
ip route vrf lab 0.0.0.0 0.0.0.0 10.5.8.4
BB1#sh ip route vrf lab
Gateway of last resort is 10.5.8.4 to network 0.0.0.0
192.16.10.0/32 is subnetted, 1 subnets
S 192.16.10.10 [1/0] via 172.16.1.1, FastEthernet0/0
10.0.0.0/24 is subnetted, 1 subnets
C 10.5.8.0 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 10.5.8.4
[1/0] via 10.5.8.2
BB1#sh ip cef vrf lab
Prefix Next Hop Interface
0.0.0.0/0 10.5.8.2 FastEthernet0/1
10.5.8.4 FastEthernet0/1
0.0.0.0/8 drop
0.0.0.0/32 receive
10.5.8.0/24 attached FastEthernet0/1
10.5.8.0/32 receive FastEthernet0/1
10.5.8.2/32 attached FastEthernet0/1
10.5.8.4/32 attached FastEthernet0/1
10.5.8.11/32 receive FastEthernet0/1
10.5.8.255/32 receive FastEthernet0/1
127.0.0.0/8 drop
192.16.10.10/32 172.16.1.1 FastEthernet0/0
224.0.0.0/4 drop
224.0.0.0/24 receive
240.0.0.0/4 drop
255.255.255.255/32 receive
Thanks!
Oszkar
On Fri, Mar 16, 2012 at 12:26 AM, Piotr Matusiak <[email protected]> wrote:
> can you paste config from BB1 and it's RIB?
>
>
>
> 2012/3/16 Imre Oszkar <[email protected]>
>
>>
>> Hi Piotr,
>>
>> Thanks for the idea! Seems that it should work, but for some reason I
>> cannot see any OOO packet.
>>
>> I set up the following scenario:
>> 1. unequal path between the source (BB1) and the destination (server).
>> BB1 is doing per-packet load balancing.
>> 2. Outbound rate limiter on R4
>>
>>
>>
>> |----R4---R1----\
>> |BB1|----| -----R3----R5---|SERVER|
>> |-----------R2----/
>>
>>
>> Per packet load-balaning:
>>
>> BB1#traceroute 136.1.122.100 (Server)
>>
>> Type escape sequence to abort.
>> Tracing the route to 136.1.122.100
>>
>> 1 10.5.8.2 4 msec
>> 10.5.8.4 0 msec
>> 10.5.8.2 4 msec
>> 2 10.5.9.1 0 msec
>> 10.5.11.3 4 msec
>> 10.5.9.1 0 msec
>> 3 136.1.121.5 4 msec
>> 10.5.10.3 0 msec
>> 136.1.121.5 0 msec
>> 4 136.1.121.5 4 msec
>> 136.1.122.100 0 msec
>> 136.1.121.5 0 msec
>>
>>
>> On R4 I have outbound rate-limiter which is heavily dropping packets.
>>
>> R4#sh interfaces rate-limit
>> FastEthernet0/0
>> Output
>> matches: all traffic
>> params: 8000 bps, 1500 limit, 2000 extended limit
>> conformed 1286 packets, 72962 bytes; action: transmit
>> exceeded 12008 packets, 649782 bytes; action: drop
>> last packet: 1680ms ago, current burst: 0 bytes
>> last cleared 00:11:14 ago, conformed 0 bps, exceeded 7000 bps
>>
>>
>> I'm doing FTP file transfer between the Server and BB1 and I'm running
>> wireshark on the Server. Wireshark doesn't report a single OOO
>> packet. There is nothing enabled on the routers between BB1 and Server that
>> would cause packet reassembling.
>>
>> Do I miss something here? Can you help me out?
>>
>> Thanks,
>> Oszkar
>>
>>
>> On Wed, Mar 14, 2012 at 10:08 AM, Piotr Matusiak <[email protected]> wrote:
>>
>>> Hi,
>>>
>>> CBAC does reassembly for all packets not only those subjected to DPI.
>>> I'm not sure about packet copy tho.
>>> For ZBF you must have at least 15.0 to make OOO packets work. It does
>>> not work for 12.4T.
>>>
>>> You can generate OOO packets by trying to setup unequal path to the
>>> destination and involve some rate-limiting on one leg. Then configure CEF
>>> per-packet load balancing and you'll see packets going through two paths
>>> being OOO at the destination.
>>>
>>> Regards,
>>> Piotr
>>>
>>>
>>> 2012/3/14 Imre Oszkar <[email protected]>
>>>
>>>> Hi Kings,
>>>>
>>>> I'm familiar with that output, but that doesn't really answer any of my
>>>> questions.
>>>>
>>>> CBAC:
>>>> 1. is it true that OOO reassembly works only for packets that requires
>>>> application inspection (DPI). If no appfw is configured OOO packets are
>>>> dropped.
>>>> 2. is it true that the packets reaching the destination will be still
>>>> OOO. (so all the reordering happens on a copy of the packet not the
>>>> original packet)
>>>>
>>>> ZBF:
>>>> 1. in case of ZBF is it enough to configure L4 inspection (match
>>>> protocol TCP) in order to kick in the reassembly for the OOO packets?
>>>>
>>>> Nothing comes in my mind how can I generate OOO packets in a lab
>>>> environment to test all these, so if somebody could give me an idea that
>>>> would be wonderful.
>>>>
>>>> Thanks,
>>>> Oszkar
>>>>
>>>>
>>>> On Wed, Mar 14, 2012 at 1:24 AM, Kingsley Charles <
>>>> [email protected]> wrote:
>>>>
>>>>> By default, CBAC support OoO. check out the following snippet.
>>>>>
>>>>> router#sh ip inspect all
>>>>> Dropped packet logging is enabled
>>>>> Session audit trail is disabled
>>>>> Session alert is enabled
>>>>> one-minute (sampling period) thresholds are [unlimited : unlimited]
>>>>> connections
>>>>> max-incomplete sessions thresholds are [unlimited : unlimited]
>>>>> max-incomplete tcp connections per host is unlimited. Block-time 0
>>>>> minute.
>>>>> tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
>>>>> tcp idle-time is 3600 sec -- udp idle-time is 30 sec
>>>>> *tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024
>>>>> kilo bytes*
>>>>>
>>>>> In 12.4(15)T, ZFW doesn't have the parameter map to configure OoO. And
>>>>> I guess, it supports it.
>>>>>
>>>>> With regards
>>>>> Kings
>>>>>
>>>>> On Tue, Mar 13, 2012 at 11:02 AM, Imre Oszkar <[email protected]>wrote:
>>>>>
>>>>>> Hi guys,
>>>>>>
>>>>>> Does anybody have a clear understanding of how OOO packets are
>>>>>> handled by the IOS firewall (CBAC and ZBF)?
>>>>>> I have found a lot of contradictory information about this topic on
>>>>>> the cisco site, and I'm getting confused.
>>>>>>
>>>>>> CBAC
>>>>>>
>>>>>> According to my understanding in case of CBAC OOO packets are dropped
>>>>>> by default. However if we configure L7 inspection for a certain protocol
>>>>>> then OOO packet support kicks in for that particular protocol. That means
>>>>>> that a copy of the out-of-order packets will be copied into the buffer
>>>>>> while the original packet will be transmitted to the destination as it
>>>>>> is.
>>>>>> No reordering. Once the missing sequence arrives the firewall will fill
>>>>>> the
>>>>>> hole and will do the firewall logic and the result will be a new
>>>>>> session.
>>>>>>
>>>>>> With the "ip inspect tcp reassembly queue lenght 0" I can disable
>>>>>> the OOO packet processing. So even the L7 inspected packets are going to
>>>>>> be
>>>>>> dropped if they are OOO.
>>>>>>
>>>>>>
>>>>>> Zone based firewall
>>>>>>
>>>>>> "OoO packets are dropped when IPS and zone-based policy firewall with
>>>>>> L4 inspection are enabled."
>>>>>> According to this sentence OOO are treated in the same way as in case
>>>>>> of CBAC, however the same config guide later on says:
>>>>>>
>>>>>> "In Cisco IOS Release 12.4(15)T, OoO processing was enabled for
>>>>>> zone-based firewall and for IPS shared sessions with Layer 4 match (match
>>>>>> protocol TCP, match protocol http), and for any TCP-based Layer 7 packet
>>>>>> ordering."
>>>>>> From this one I understand that OOO processing works for L4 inspected
>>>>>> packets as well eg for any TCP traffic.
>>>>>>
>>>>>>
>>>>>> http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/12-4t/sec-zone-pol-fw.html#GUID-CA37F2B4-CA9D-44DD-9B27-C9C235C4D4DE
>>>>>>
>>>>>>
>>>>>>
>>>>>> Thank you for your comments!
>>>>>> Oszkar
>>>>>>
>>>>>> _______________________________________________
>>>>>> For more information regarding industry leading CCIE Lab training,
>>>>>> please visit www.ipexpert.com
>>>>>>
>>>>>> Are you a CCNP or CCIE and looking for a job? Check out
>>>>>> www.PlatinumPlacement.com
>>>>>>
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> For more information regarding industry leading CCIE Lab training,
>>>> please visit www.ipexpert.com
>>>>
>>>> Are you a CCNP or CCIE and looking for a job? Check out
>>>> www.PlatinumPlacement.com
>>>>
>>>
>>>
>>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
