Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ASK THE EXPERT – USING IOS FLEXIBLE PACKET MATCHING ON CISCO 7200

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Afaq Khan about configuration and troubleshooting the IOS Flexible Packet Matching. Afaq Khan is a technical marketing engineer with Broadband, Edge and Midrange Routing Business Unit at Cisco Systems Inc. Ha has previously worked for Cisco Security/VPN Technical Assistance Center (TAC) teams for almost 4 years. He specializes on VPNs involving VPN3000, IOS, PIX FW and third party products. Afaq has represented Cisco in many Security/VPN seminars. He is a CCIE (#9070) in Routing & Switching and Security.

Remember to use the rating system to let Afaq know if you have received an adequate response.

Afaq might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through December 22, 2005. Visit this forum often to view responses to your questions and the questions of other community members.

10 REPLIES
Silver

Re: ASK THE EXPERT – USING IOS FLEXIBLE PACKET MATCHING ON CISC

Afaq,

What IOS version(s) is the FPM supported?

Thanks,

Tom

Bronze

Re: ASK THE EXPERT – USING IOS FLEXIBLE PACKET MATCHING ON CISC

Hi Tom,

IOS Flexible Packet Matching is supported starting from 12.4(4)T on 8xx to 7200/7301 in security images.

Hope that answers your Q.

Thanks

Afaq

Silver

Re: ASK THE EXPERT – USING IOS FLEXIBLE PACKET MATCHING ON CISC

Hi Afaq,

Why would we use FPM versus ACL (Access Lists), any examples?

Thanks,

Brian

Bronze

Re: ASK THE EXPERT – USING IOS FLEXIBLE PACKET MATCHING ON CISC

Hi Brian,

Good to have this great question. FPM can be thought as next-gen ACL, ACLs are merely stateless filters, and very limited based on how you can classify a packet for drop/log purposes.

On the other hand FPM, allows you to go deep inside packet headers/data, and search based on fixed offset or arbitrary offset (For IP, TCP, UDP, Ethernet frame etc.) and take an action on the packet.

One simple example of that would be worms and other complex malicious traffic, like code red, slammer. You can't take any action on that traffic using ACLs, as they in almost all scenarios use well-known applications ports (TCP 445, or TCP 80 etc.).

You can further read it here:

http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a00805138d3.html

Hope that answers your Q.

Thanks,

Afaq

New Member

Re: ASK THE EXPERT – USING IOS FLEXIBLE PACKET MATCHING ON CISC

Hi Afaq,

I have 3 questions regarding FPM:

a. does Cisco plan to roll-out this feature onto 6509 platform? and if yes, will it be offloaded to PFC3?

b. does cisco provide a libray of common protocol header description files (PHDFs) for download?

c. is there any way to avoid FPM from process-switched?

Thanks in advance,

Cahyadi

Bronze

Re: ASK THE EXPERT – USING IOS FLEXIBLE PACKET MATCHING ON CISC

Hi Cahyadi,

Answers:

a. I'm positive about that, and offload is inevitable on that platform given the nature of control plane being a scarce resource.

b. Yes. They are almost done and should be posted very soon on CCO (under security software).

c. FPM as a feature is -not- in the process path (rather CEF), but certainly CPU intensive due to it's nature of looking deep into the packets.

I'd say think of FPM as a tool to reactively deal with the malicious traffic, e.g the time up until you are waiting for your IPS appliance signature to arrive for a given worm etc.

As someone said, weaknesses normally emerge from the overused strengths :)

With this, I'd like you to have a look at this URL (in case you missed it):

http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd803936f6.shtml

Thanks for the great question, keep them coming.

Rgds

Afaq

New Member

Re: ASK THE EXPERT – USING IOS FLEXIBLE PACKET MATCHING ON CISC

Hi Afaq,

Thank you for the URL,

am I right to say that in the event of no packet matched with the policy, the CPU utilization table still valid? Since the "good" packet will still be "deep-inspected"

and if this is designed to be "non day 0"/reactive tools:

on the platform which doesn't have control-plane protection, how can we configure the router with new pattern if the router/network it self is under new attack i.e. "passing worm traffic with 95+% CPU load"

?

just trying to dig-out of what is the "value" of FPM implementation at low-end 800 series to even 7300

it is certainly a good feature in hardware-offloaded based platform.

my2cents.

Cahyadi

Bronze

Re: ASK THE EXPERT – USING IOS FLEXIBLE PACKET MATCHING ON CISC

Hi there,

[[am I right to say that in the event of no packet matched with the policy, the CPU utilization table still valid? Since the "good" packet will still be "deep-inspected" ]]

No, not really. it depends on the classification, if you dont classify TCP/IP traffic (only UDP/IP for the known worm) then they wont get deep inspected for no reason!

Now for all other UDP traffic, if you have "match all" (most likel the case) then you would still avoid deep inspection of unncecessary "match" statements. Having said that, when you apply service-policy on the interface it would certainly incur some cpu overhead (contrast to having nothing on the interface and just passing traffic).

[[[and if this is designed to be "non day 0"/reactive tools:

on the platform which doesn't have control-plane protection, how can we configure the router with new pattern if the router/network it self is under new attack i.e. "passing worm traffic with 95+% CPU load"

?

just trying to dig-out of what is the "value" of FPM implementation at low-end 800 series to even 7300 ]]]

Good question. A zero-day exploit is one that takes advantage of a security vulnerability on the same day that the vulnerability becomes generally known. Hence I mentioned that you can use FPM as day-zero up until your IPS signature becomes available/arrives. You're right in saying that if router is already dealing with high cpu due to worm, configuring FPM would push it even further, but still you have good chance of salvaging your network at the expense of of one router.

Control plane (traffic that's destined for the router itself), does protect itself in Cisco IOS.. although if all traffic is "trasnit" -and-is 'CEF-switched", then it does have the potential to starve the control plane.

I agree with you that HW offload would make this feature much more practical and easily deployable- but you know what - it's still a feature that no other vendor has on their network OS - plus- cisco doesn't charge for any software license to use it :D

Keep the questions coming.

Thanks,

Afaq

Bronze

Re: ASK THE EXPERT – USING IOS FLEXIBLE PACKET MATCHING ON CISC

Afaq,

Can you provide one practical example of how FPM can help in combating the worm or virus outbreak traffic?

Thanks,

Pradeep

Bronze

Re: ASK THE EXPERT – USING IOS FLEXIBLE PACKET MATCHING ON CISC

Hi Pradeep,

Yes, as a reactive tool it can help you thwart worms/virus attack traffic (for example, the ones for which you're still waiting your IPS sigs to be available). CCO has a few examples:

http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a00805138d3.html#wp1027258

FPM is useful because it enables users to create their own stateless packet classification criteria and to define policies with multiple actions (such as drop, log, or send Internet Control Message Protocol [ICMP] unreachable) to immediately block new viruses, worms, and attacks.

Hope that clarifies, let me know if you need more pointers.

26
Views
0
Helpful
10
Replies
CreatePlease login to create content