Re: [OSL | CCIE_Security] FPM ICMP large Packets

[Eugene Pefti]

Sorry, didn't mean to send it yet. Starting it all over:

If you don't mind, guys, I'd start some sort of compilation of FPM related 
knowledge here, specifically that we need to know and which is not easily 
available as a reference in Cisco docs.

1. Protocol numbers. So far we have to remember only three numbers (mostly) - 1 
(ICMP), 6 (TCP), 17 (UDP)
An accompanying question, is it good to specify them in decimal when defining 
the stack type class-map, i.e. I want to match for UDP protocol in the IP header
   class-map type stack IP-UDP-CLASS
     match field IP protocol eq 17 next UDP

And another one, is mask a loose parameter that can always be left off here ?

2. I found that I can't retain in my head what goes first in the Flags field of 
IP header, DF or MF. Is there any reference in Cisco docs that could be looked 
up during the exam?
Let's take Mike's example with fragmented packets. King's solution is as 
follows (I quote it):

You should match packets with FO> 0 and Flags = 1.

For the first packet F0=0 and Flags=1
For other packets F0>0
For the last packet FO>0 and flags with be 1.

Hence the following is the solution.

rtr(config)# class-map type access-control match-any fragudp
rtr(config-cmap)# match field ip flags eq 1 mask 6
rtr(config-cmap)# match field ip fragment-offset gt 0

   2.1 When you say "Flags=1" in the first line what flag do you mean? I'd 
assume MF (More Fragments).
   2.2 When you mention flags in the third line as should be set to 1 again, 
what flags did you mean, MF or DF? If MF, why would IP stack care about MF in 
the last packet?
   2.3 You say that we have to match for packets with FO>0 and Flags=1, why 
does the class-map have "match-any" option?
   2.4 If I were to match on DF flag then I'd need to set mask to 5 ? Are there 
any conditions that I'd need to care and be prepared to match for the DF flag?

Enough for now ;)

Eugene

From: Eugene Pefti <eug...@koiossystems.com<mailto:eug...@koiossystems.com>>
Date: Sunday, June 3, 2012 10:09 PM
To: Mike Rojas <mike_c...@hotmail.com<mailto:mike_c...@hotmail.com>>, 
"kingsley.char...@gmail.com<mailto:kingsley.char...@gmail.com>" 
<kingsley.char...@gmail.com<mailto:kingsley.char...@gmail.com>>, 
"ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com>" 
<ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com>>
Subject: Re: [OSL | CCIE_Security] FPM ICMP large Packets

I feel sorry for you, Mike, but I know that you like all others here will 
definitely do it next time.
I start feeling that FPM is the most intimidating subject on the exam ;)

If you don't mind, guys, I'd start some kind of compilation of FPM related 
knowledge here, specifically that we need to know and which is not easily 
available as a reference in Cisco docs.


  1.  Protocol numbers. So far we have to remember only three numbers (mostly) 
- 1 (ICMP), 6 (TCP), 17 (UDP)

From: Mike Rojas <mike_c...@hotmail.com<mailto:mike_c...@hotmail.com>>
Date: Sunday, June 3, 2012 2:25 PM
To: "kingsley.char...@gmail.com<mailto:kingsley.char...@gmail.com>" 
<kingsley.char...@gmail.com<mailto:kingsley.char...@gmail.com>>, 
"ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com>" 
<ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com>>
Subject: Re: [OSL | CCIE_Security] FPM ICMP large Packets

Oh no Kings, I failed it because I suck at it... a got an FPM question where 
you had to do something about the ICMP packet size... I was looking a question 
more like finding something inside of the payload... some you win some you 
loose...

Cheers!

Mike

________________________________
Date: Sun, 3 Jun 2012 10:56:59 +0530
Subject: Re: [OSL | CCIE_Security] FPM ICMP large Packets
From: kingsley.char...@gmail.com<mailto:kingsley.char...@gmail.com>
To: mike_c...@hotmail.com<mailto:mike_c...@hotmail.com>

Mike, did you fail in the CCIE lab? And is it due to the wrong solution of FPM?

With regards
Kings

On Sun, Jun 3, 2012 at 3:08 AM, Mike Rojas 
<mike_c...@hotmail.com<mailto:mike_c...@hotmail.com>> wrote:
I just want to recall one of the Replies from Kingsley... BTW I failed the 
test....

http://onlinestudylist.com/archives/ccie_security/2012-February/029078.html

Mike

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com<http://www.ipexpert.com>

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>


_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com