Hi Eugene.
I think when you use it without mask, it matches exact decimal value
represented by that 3-bit flags field. So saying "flags eq 1" would be
the same as saying flags are in binary 001, i.e. R is always 0, DF is 0
MF is 1.
IOS does have value 7 as a maximum value, but only values 0 to 3 make
since since the R bit should always be 0.
R DF MF
0 = 0 0 0
1 = 0 0 1
2 = 0 1 0
3 = 0 1 1
4 = 1 0 0 - invalid flag R from here down
5 = 1 0 1
6 = 1 1 0
7 = 1 1 1
So you don't really have to use mask, IMO.
Sure, length makes sense with IP packets smaller that 1500. With
fragmented packets length will be either 1500 or less, but would never
exceed 1500. I am referring here to one of IPExpert solutions for Lab
bootcamp Lab 3 task re FPM. In solution they match on length gt 1500.
Cheers,
A.
On 6/6/2012 5:12 PM, Eugene Pefti wrote:
I like it better, Alexei ;)
Specifically the fact that MF is set to 0 in the last fragment.
Have you intentionally omitted the mask for IP flags eq 1 in your
access-control class-map? As far as I understand it mask is the only
way to match on the right flag (DF or MF).
I tried doing something similar and used the length field set to 500
as an example (match field IP length gt 500). It actually did make
difference. I wasn't able to send pings 501 byte of size.
Eugene
From: Alexei Monastyrnyi <[email protected]
<mailto:[email protected]>>
Date: Tuesday, June 5, 2012 8:17 PM
To: Eugene Pefti <[email protected]
<mailto:[email protected]>>
Cc: Mike Rojas <[email protected] <mailto:[email protected]>>,
"[email protected] <mailto:[email protected]>"
<[email protected] <mailto:[email protected]>>,
"[email protected]
<mailto:[email protected]>"
<[email protected]
<mailto:[email protected]>>
Subject: Re: [OSL | CCIE_Security] FPM ICMP large Packets
Eugene,
here is my take on it. Let's get ICMP fragmented and see what fields
we should match.
R4(config-cmap)#do sh run class-map
Building configuration...
Current configuration : 222 bytes
!
class-map type stack match-all CM_FPM_IP_ICMP
match field IP protocol eq 1 next ICMP
class-map type access-control match-any CM_FPM_ICMP_FRAGMENTS
match field IP flags eq 1
match field IP fragment-offset gt 0
!
end
R4(config-cmap)#do sh run policy-map
Building configuration...
Current configuration : 206 bytes
!
policy-map type access-control PM_FPM_ICMP_FRAGMENTS
class CM_FPM_ICMP_FRAGMENTS
log
policy-map type access-control PM_FPM_IP_ICMP
class CM_FPM_IP_ICMP
service-policy PM_FPM_ICMP_FRAGMENTS
!
end
R3 fa01 - 180.6.34.0/24 <http://180.6.34.0/24> -- fa0/0 R4
PM_FPM_IP_ICMP is applied inbound on Fa 0/0 of R4.
First, as you can see, there is no IP length field in my class-map,
because it is always less or equal than 1500.
The most generic scenario is that we have 3 type of fragments and
those IP header fields should be set as per below:
- initial fragment -> IP Length = 1500 MF flag = 1 Fragment Offset = 0
- non-initial fragment -> IP Length = 1500 MF flag = 1 Fragment Offset > 0
- last fragment -> IP Length < 1500 MF flag = 0 Fragment Offset > 0
In some solution they match on IP length too, which IMO achieves nothing.
Am I missing sonething?
Cheers
A.
On 4 June 2012 15:37, Eugene Pefti <[email protected]
<mailto:[email protected]>> wrote:
Sorry, didn't mean to send it yet. Starting it all over:
If you don't mind, guys, I'd start some sort of compilation of FPM
related knowledge here, specifically that we need to know and
which is not easily available as a reference in Cisco docs.
1. Protocol numbers. So far we have to remember only three numbers
(mostly) - 1 (ICMP), 6 (TCP), 17 (UDP)
An accompanying question, is it good to specify them in decimal
when defining the stack type class-map, i.e. I want to match for
UDP protocol in the IP header
class-map type stack IP-UDP-CLASS
match field IP protocol eq 17 next UDP
And another one, is mask a loose parameter that can always be left
off here ?
2. I found that I can't retain in my head what goes first in the
Flags field of IP header, DF or MF. Is there any reference in
Cisco docs that could be looked up during the exam?
Let's take Mike's example with fragmented packets. King's solution
is as follows (I quote it):
You should match packets with FO> 0 and Flags = 1.
For the first packet F0=0 and Flags=1
For other packets F0>0
For the last packet FO>0 and flags with be 1.
Hence the following is the solution.
rtr(config)# class-map type access-control match-any fragudp
rtr(config-cmap)# match field ip flags eq 1 mask 6
rtr(config-cmap)# match field ip fragment-offset gt 0
2.1 When you say "Flags=1" in the first line what flag do you
mean? I'd assume MF (More Fragments).
2.2 When you mention flags in the third line as should be set
to 1 again, what flags did you mean, MF or DF? If MF, why would IP
stack care about MF in the last packet?
2.3 You say that we have to match for packets with FO>0 and
Flags=1, why does the class-map have "match-any" option?
2.4 If I were to match on DF flag then I'd need to set mask to
5 ? Are there any conditions that I'd need to care and be prepared
to match for the DF flag?
Enough for now ;)
Eugene
From: Eugene Pefti <[email protected]
<mailto:[email protected]>>
Date: Sunday, June 3, 2012 10:09 PM
To: Mike Rojas <[email protected]
<mailto:[email protected]>>, "[email protected]
<mailto:[email protected]>" <[email protected]
<mailto:[email protected]>>,
"[email protected]
<mailto:[email protected]>"
<[email protected]
<mailto:[email protected]>>
Subject: Re: [OSL | CCIE_Security] FPM ICMP large Packets
I feel sorry for you, Mike, but I know that you like all others
here will definitely do it next time.
I start feeling that FPM is the most intimidating subject on the
exam ;)
If you don't mind, guys, I'd start some kind of compilation of FPM
related knowledge here, specifically that we need to know and
which is not easily available as a reference in Cisco docs.
1. Protocol numbers. So far we have to remember only three
numbers (mostly) - 1 (ICMP), 6 (TCP), 17 (UDP)
From: Mike Rojas <[email protected]
<mailto:[email protected]>>
Date: Sunday, June 3, 2012 2:25 PM
To: "[email protected]
<mailto:[email protected]>" <[email protected]
<mailto:[email protected]>>,
"[email protected]
<mailto:[email protected]>"
<[email protected]
<mailto:[email protected]>>
Subject: Re: [OSL | CCIE_Security] FPM ICMP large Packets
Oh no Kings, I failed it because I suck at it... a got an FPM
question where you had to do something about the ICMP packet
size... I was looking a question more like finding something
inside of the payload... some you win some you loose...
Cheers!
Mike
------------------------------------------------------------------------
Date: Sun, 3 Jun 2012 10:56:59 +0530
Subject: Re: [OSL | CCIE_Security] FPM ICMP large Packets
From: [email protected] <mailto:[email protected]>
To: [email protected] <mailto:[email protected]>
Mike, did you fail in the CCIE lab? And is it due to the wrong
solution of FPM?
With regards
Kings
On Sun, Jun 3, 2012 at 3:08 AM, Mike Rojas <[email protected]
<mailto:[email protected]>> wrote:
I just want to recall one of the Replies from Kingsley... BTW
I failed the test....
http://onlinestudylist.com/archives/ccie_security/2012-February/029078.html
Mike
_______________________________________________
For more information regarding industry leading CCIE Lab
training, please visit www.ipexpert.com <http://www.ipexpert.com/>
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com <http://www.platinumplacement.com/>
_______________________________________________
For more information regarding industry leading CCIE Lab training,
please visit www.ipexpert.com <http://www.ipexpert.com/>
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com <http://www.platinumplacement.com/>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
