I have got it working. I have played with the rate limiter values and now I have OOO. So I'm ready for tests:)
thanks! On Fri, Mar 16, 2012 at 9:31 AM, Imre Oszkar <[email protected]> wrote: > Hi Piotr, > > Here is the related config from BB1 and the full RIB and FIB table. > > interface FastEthernet0/1 > ip vrf forwarding lab > ip address 10.5.8.11 255.255.255.0 > ip load-sharing per-packet > ip pim sparse-mode > > ip route vrf lab 0.0.0.0 0.0.0.0 10.5.8.2 > ip route vrf lab 0.0.0.0 0.0.0.0 10.5.8.4 > > > BB1#sh ip route vrf lab > Gateway of last resort is 10.5.8.4 to network 0.0.0.0 > > 192.16.10.0/32 is subnetted, 1 subnets > S 192.16.10.10 [1/0] via 172.16.1.1, FastEthernet0/0 > 10.0.0.0/24 is subnetted, 1 subnets > C 10.5.8.0 is directly connected, FastEthernet0/1 > S* 0.0.0.0/0 [1/0] via 10.5.8.4 > [1/0] via 10.5.8.2 > > > BB1#sh ip cef vrf lab > Prefix Next Hop Interface > 0.0.0.0/0 10.5.8.2 FastEthernet0/1 > 10.5.8.4 FastEthernet0/1 > 0.0.0.0/8 drop > 0.0.0.0/32 receive > 10.5.8.0/24 attached FastEthernet0/1 > 10.5.8.0/32 receive FastEthernet0/1 > 10.5.8.2/32 attached FastEthernet0/1 > 10.5.8.4/32 attached FastEthernet0/1 > 10.5.8.11/32 receive FastEthernet0/1 > 10.5.8.255/32 receive FastEthernet0/1 > 127.0.0.0/8 drop > 192.16.10.10/32 172.16.1.1 FastEthernet0/0 > 224.0.0.0/4 drop > 224.0.0.0/24 receive > 240.0.0.0/4 drop > 255.255.255.255/32 receive > > Thanks! > Oszkar > > > > On Fri, Mar 16, 2012 at 12:26 AM, Piotr Matusiak <[email protected]> wrote: > >> can you paste config from BB1 and it's RIB? >> >> >> >> 2012/3/16 Imre Oszkar <[email protected]> >> >>> >>> Hi Piotr, >>> >>> Thanks for the idea! Seems that it should work, but for some reason I >>> cannot see any OOO packet. >>> >>> I set up the following scenario: >>> 1. unequal path between the source (BB1) and the destination (server). >>> BB1 is doing per-packet load balancing. >>> 2. Outbound rate limiter on R4 >>> >>> >>> >>> |----R4---R1----\ >>> |BB1|----| -----R3----R5---|SERVER| >>> |-----------R2----/ >>> >>> >>> Per packet load-balaning: >>> >>> BB1#traceroute 136.1.122.100 (Server) >>> >>> Type escape sequence to abort. >>> Tracing the route to 136.1.122.100 >>> >>> 1 10.5.8.2 4 msec >>> 10.5.8.4 0 msec >>> 10.5.8.2 4 msec >>> 2 10.5.9.1 0 msec >>> 10.5.11.3 4 msec >>> 10.5.9.1 0 msec >>> 3 136.1.121.5 4 msec >>> 10.5.10.3 0 msec >>> 136.1.121.5 0 msec >>> 4 136.1.121.5 4 msec >>> 136.1.122.100 0 msec >>> 136.1.121.5 0 msec >>> >>> >>> On R4 I have outbound rate-limiter which is heavily dropping packets. >>> >>> R4#sh interfaces rate-limit >>> FastEthernet0/0 >>> Output >>> matches: all traffic >>> params: 8000 bps, 1500 limit, 2000 extended limit >>> conformed 1286 packets, 72962 bytes; action: transmit >>> exceeded 12008 packets, 649782 bytes; action: drop >>> last packet: 1680ms ago, current burst: 0 bytes >>> last cleared 00:11:14 ago, conformed 0 bps, exceeded 7000 bps >>> >>> >>> I'm doing FTP file transfer between the Server and BB1 and I'm running >>> wireshark on the Server. Wireshark doesn't report a single OOO >>> packet. There is nothing enabled on the routers between BB1 and Server that >>> would cause packet reassembling. >>> >>> Do I miss something here? Can you help me out? >>> >>> Thanks, >>> Oszkar >>> >>> >>> On Wed, Mar 14, 2012 at 10:08 AM, Piotr Matusiak <[email protected]> wrote: >>> >>>> Hi, >>>> >>>> CBAC does reassembly for all packets not only those subjected to DPI. >>>> I'm not sure about packet copy tho. >>>> For ZBF you must have at least 15.0 to make OOO packets work. It does >>>> not work for 12.4T. >>>> >>>> You can generate OOO packets by trying to setup unequal path to the >>>> destination and involve some rate-limiting on one leg. Then configure CEF >>>> per-packet load balancing and you'll see packets going through two paths >>>> being OOO at the destination. >>>> >>>> Regards, >>>> Piotr >>>> >>>> >>>> 2012/3/14 Imre Oszkar <[email protected]> >>>> >>>>> Hi Kings, >>>>> >>>>> I'm familiar with that output, but that doesn't really answer any of >>>>> my questions. >>>>> >>>>> CBAC: >>>>> 1. is it true that OOO reassembly works only for packets that >>>>> requires application inspection (DPI). If no appfw is configured OOO >>>>> packets are dropped. >>>>> 2. is it true that the packets reaching the destination will be still >>>>> OOO. (so all the reordering happens on a copy of the packet not the >>>>> original packet) >>>>> >>>>> ZBF: >>>>> 1. in case of ZBF is it enough to configure L4 inspection (match >>>>> protocol TCP) in order to kick in the reassembly for the OOO packets? >>>>> >>>>> Nothing comes in my mind how can I generate OOO packets in a lab >>>>> environment to test all these, so if somebody could give me an idea that >>>>> would be wonderful. >>>>> >>>>> Thanks, >>>>> Oszkar >>>>> >>>>> >>>>> On Wed, Mar 14, 2012 at 1:24 AM, Kingsley Charles < >>>>> [email protected]> wrote: >>>>> >>>>>> By default, CBAC support OoO. check out the following snippet. >>>>>> >>>>>> router#sh ip inspect all >>>>>> Dropped packet logging is enabled >>>>>> Session audit trail is disabled >>>>>> Session alert is enabled >>>>>> one-minute (sampling period) thresholds are [unlimited : unlimited] >>>>>> connections >>>>>> max-incomplete sessions thresholds are [unlimited : unlimited] >>>>>> max-incomplete tcp connections per host is unlimited. Block-time 0 >>>>>> minute. >>>>>> tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec >>>>>> tcp idle-time is 3600 sec -- udp idle-time is 30 sec >>>>>> *tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 >>>>>> kilo bytes* >>>>>> >>>>>> In 12.4(15)T, ZFW doesn't have the parameter map to configure OoO. >>>>>> And I guess, it supports it. >>>>>> >>>>>> With regards >>>>>> Kings >>>>>> >>>>>> On Tue, Mar 13, 2012 at 11:02 AM, Imre Oszkar <[email protected]>wrote: >>>>>> >>>>>>> Hi guys, >>>>>>> >>>>>>> Does anybody have a clear understanding of how OOO packets are >>>>>>> handled by the IOS firewall (CBAC and ZBF)? >>>>>>> I have found a lot of contradictory information about this topic on >>>>>>> the cisco site, and I'm getting confused. >>>>>>> >>>>>>> CBAC >>>>>>> >>>>>>> According to my understanding in case of CBAC OOO packets are >>>>>>> dropped by default. However if we configure L7 inspection for a certain >>>>>>> protocol then OOO packet support kicks in for that particular protocol. >>>>>>> That means that a copy of the out-of-order packets will be copied into >>>>>>> the >>>>>>> buffer while the original packet will be transmitted to the destination >>>>>>> as >>>>>>> it is. No reordering. Once the missing sequence arrives the firewall >>>>>>> will >>>>>>> fill the hole and will do the firewall logic and the result will be a >>>>>>> new >>>>>>> session. >>>>>>> >>>>>>> With the "ip inspect tcp reassembly queue lenght 0" I can disable >>>>>>> the OOO packet processing. So even the L7 inspected packets are going >>>>>>> to be >>>>>>> dropped if they are OOO. >>>>>>> >>>>>>> >>>>>>> Zone based firewall >>>>>>> >>>>>>> "OoO packets are dropped when IPS and zone-based policy firewall >>>>>>> with L4 inspection are enabled." >>>>>>> According to this sentence OOO are treated in the same way as in >>>>>>> case of CBAC, however the same config guide later on says: >>>>>>> >>>>>>> "In Cisco IOS Release 12.4(15)T, OoO processing was enabled for >>>>>>> zone-based firewall and for IPS shared sessions with Layer 4 match >>>>>>> (match >>>>>>> protocol TCP, match protocol http), and for any TCP-based Layer 7 packet >>>>>>> ordering." >>>>>>> From this one I understand that OOO processing works for L4 >>>>>>> inspected packets as well eg for any TCP traffic. >>>>>>> >>>>>>> >>>>>>> http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/12-4t/sec-zone-pol-fw.html#GUID-CA37F2B4-CA9D-44DD-9B27-C9C235C4D4DE >>>>>>> >>>>>>> >>>>>>> >>>>>>> Thank you for your comments! >>>>>>> Oszkar >>>>>>> >>>>>>> _______________________________________________ >>>>>>> For more information regarding industry leading CCIE Lab training, >>>>>>> please visit www.ipexpert.com >>>>>>> >>>>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>>>> www.PlatinumPlacement.com >>>>>>> >>>>>> >>>>>> >>>>> >>>>> _______________________________________________ >>>>> For more information regarding industry leading CCIE Lab training, >>>>> please visit www.ipexpert.com >>>>> >>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>> www.PlatinumPlacement.com >>>>> >>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
