Eugene, here is my take on it. Let's get ICMP fragmented and see what fields we should match.
R4(config-cmap)#do sh run class-map Building configuration... Current configuration : 222 bytes ! class-map type stack match-all CM_FPM_IP_ICMP match field IP protocol eq 1 next ICMP class-map type access-control match-any CM_FPM_ICMP_FRAGMENTS match field IP flags eq 1 match field IP fragment-offset gt 0 ! end R4(config-cmap)#do sh run policy-map Building configuration... Current configuration : 206 bytes ! policy-map type access-control PM_FPM_ICMP_FRAGMENTS class CM_FPM_ICMP_FRAGMENTS log policy-map type access-control PM_FPM_IP_ICMP class CM_FPM_IP_ICMP service-policy PM_FPM_ICMP_FRAGMENTS ! end R3 fa01 - 180.6.34.0/24 -- fa0/0 R4 PM_FPM_IP_ICMP is applied inbound on Fa 0/0 of R4. First, as you can see, there is no IP length field in my class-map, because it is always less or equal than 1500. The most generic scenario is that we have 3 type of fragments and those IP header fields should be set as per below: - initial fragment -> IP Length = 1500 MF flag = 1 Fragment Offset = 0 - non-initial fragment -> IP Length = 1500 MF flag = 1 Fragment Offset > 0 - last fragment -> IP Length < 1500 MF flag = 0 Fragment Offset > 0 In some solution they match on IP length too, which IMO achieves nothing. Am I missing sonething? Cheers A. On 4 June 2012 15:37, Eugene Pefti <[email protected]> wrote: > Sorry, didn't mean to send it yet. Starting it all over: > > If you don't mind, guys, I'd start some sort of compilation of FPM > related knowledge here, specifically that we need to know and which is not > easily available as a reference in Cisco docs. > > 1. Protocol numbers. So far we have to remember only three numbers > (mostly) - 1 (ICMP), 6 (TCP), 17 (UDP) > An accompanying question, is it good to specify them in decimal when > defining the stack type class-map, i.e. I want to match for UDP protocol in > the IP header > class-map type stack IP-UDP-CLASS > match field IP protocol eq 17 next UDP > > And another one, is mask a loose parameter that can always be left off > here ? > > 2. I found that I can't retain in my head what goes first in the Flags > field of IP header, DF or MF. Is there any reference in Cisco docs that > could be looked up during the exam? > Let's take Mike's example with fragmented packets. King's solution is as > follows (I quote it): > > You should match packets with FO> 0 and Flags = 1. > > For the first packet F0=0 and Flags=1 > For other packets F0>0 > For the last packet FO>0 and flags with be 1. > > Hence the following is the solution. > > rtr(config)# class-map type access-control match-any fragudp > rtr(config-cmap)# match field ip flags eq 1 mask 6 > rtr(config-cmap)# match field ip fragment-offset gt 0 > > 2.1 When you say "Flags=1" in the first line what flag do you mean? > I'd assume MF (More Fragments). > 2.2 When you mention flags in the third line as should be set to 1 > again, what flags did you mean, MF or DF? If MF, why would IP stack care > about MF in the last packet? > 2.3 You say that we have to match for packets with FO>0 and Flags=1, > why does the class-map have "match-any" option? > 2.4 If I were to match on DF flag then I'd need to set mask to 5 ? Are > there any conditions that I'd need to care and be prepared to match for the > DF flag? > > Enough for now ;) > > Eugene > > From: Eugene Pefti <[email protected]> > Date: Sunday, June 3, 2012 10:09 PM > To: Mike Rojas <[email protected]>, "[email protected]" < > [email protected]>, "[email protected]" < > [email protected]> > > Subject: Re: [OSL | CCIE_Security] FPM ICMP large Packets > > I feel sorry for you, Mike, but I know that you like all others here > will definitely do it next time. > I start feeling that FPM is the most intimidating subject on the exam ;) > > If you don't mind, guys, I'd start some kind of compilation of FPM related > knowledge here, specifically that we need to know and which is not easily > available as a reference in Cisco docs. > > > 1. Protocol numbers. So far we have to remember only three numbers > (mostly) - 1 (ICMP), 6 (TCP), 17 (UDP) > > > From: Mike Rojas <[email protected]> > Date: Sunday, June 3, 2012 2:25 PM > To: "[email protected]" <[email protected]>, " > [email protected]" <[email protected]> > Subject: Re: [OSL | CCIE_Security] FPM ICMP large Packets > > Oh no Kings, I failed it because I suck at it... a got an FPM question > where you had to do something about the ICMP packet size... I was looking a > question more like finding something inside of the payload... some you win > some you loose... > > Cheers! > > Mike > > ------------------------------ > Date: Sun, 3 Jun 2012 10:56:59 +0530 > Subject: Re: [OSL | CCIE_Security] FPM ICMP large Packets > From: [email protected] > To: [email protected] > > Mike, did you fail in the CCIE lab? And is it due to the wrong solution of > FPM? > > With regards > Kings > > On Sun, Jun 3, 2012 at 3:08 AM, Mike Rojas <[email protected]> wrote: > > I just want to recall one of the Replies from Kingsley... BTW I failed > the test.... > > http://onlinestudylist.com/archives/ccie_security/2012-February/029078.html > > Mike > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com <http://www.platinumplacement.com/> > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com <http://www.platinumplacement.com/> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
