The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Flexible Packet Matching (FPM) is the next generation access control list (ACL) pattern matching tool, providing more thorough and customized packet filters. FPM enables users to match on arbitrary bits of a packet at an arbitrary depth in the packet header and payload. FPM removes constraints to specific fields that had limited packet inspection.
FPM is useful because it enables users to create their own stateless packet classification criteria and to define policies with multiple actions (such as drop, log, or send Internet Control Message Protocol [ICMP] unreachable1 ) to immediately block new viruses, worms, and attacks.
For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Flexible Packet Matching" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
•Prerequisites for Flexible Packet Matching
•Restrictions for Flexible Packet Matching
•Information About Flexible Packet Matching
•How to Configure a Flexible Packet Matching Traffic Class and Traffic Policy
•Configuration Examples for an FPM Configuration
•Feature Information for Flexible Packet Matching
Although access to an XML editor is not required, XML will ease the creation of protocol header description files (PHDFs).
•FPM can search for patterns up to 32 bytes in length within the first 256 bytes of the packet.
•A maximum of 32 classes are supported in a policy-map.
•For IP option packets, FPM inspects only the fields in the Layer 2 header and the first 20 bytes of the IP header.
•For noninitial IP fragments, FPM inspects only the fields in the Layer 2 header and the first 20 bytes of the IP header.
•FPM cannot be used to mitigate an attack that requires stateful classification.
•Because FPM is stateless, it cannot keep track of port numbers being used by protocols that dynamically negotiate ports. Thus, when using FPM, port numbers must be explicitly specified.
•FPM cannot perform IP fragmentation or TCP flow reassembly.
•FPM inspects only IPv4 unicast packets.
•FPM cannot classify packets with IP options.
•FPM does not support multicast packet inspection.
•FPM is not supported on tunnel and MPLS interfaces.
•Noninitial fragments will not be matched by the FPM engine.
•Offset can be only a constant in a match start construct.
•FPM cannot match across packets.
•Mapping of FPM policies to control-plane is not supported.
•Flexible Packet Matching Functional Overview
FPM allows customers to create their own filtering policies that can immediately detect and block new viruses and attacks.
A filtering policy is defined via the following tasks:
•Load a PHDF (for protocol header field matching)
•Define a class map and define the protocol stack chain (traffic class)
•Define a service policy (traffic policy)
•Apply the service policy to an interface
Protocol headers are defined in separate files called PHDFs; the field names that are defined within the PHDFs are used for defining the packet filters. A PHDF is a file that allows the user to leverage the flexibility of XML to describe almost any protocol header. The important components of the PHDF are the version, the XML file schema location, and the protocol field definitions. The protocol field definitions name the appropriate field in the protocol header, allow for a comment describing the field, provide the location of the protocol header field in the header (the offset is relative to the start of the protocol header), and provide the length of the field. Users can choose to specify the measurement in bytes or in bits.
Note The total length of the header must be specified at the end of each PHDF.
Note When redundant sup PHDF files are used by FPM policy, the files should also be on standby sup's corresponding disk. If the files are not available FPM policy will not work after the switch over.
Users can write their own custom PHDFs via XML for existing or proprietary protocols. However, the following standard PHDFs can also be loaded onto the router via the load protocol command: ip.phdf, ether.phdf, tcp.phdf, and udp.phdf.
Note Because PHDFs are defined via XML, they are not shown in a running configuration. However, you can use the show protocol phdf command to verify the loaded PHDF.
Standard PHDFs are available on Cisco.com at the following URL:
http://www.cisco.com/cgi-bin/tablebuild.pl/fpm
A filter description is a definition of a traffic class that can contain the header fields defined in a PHDF (using the match field command). If a PHDF is not loaded, the traffic class can be defined via the datagram header start (Layer 2) or the network header start (Layer 3) (using the match start command). If a PHDF has been loaded onto the router, the class specification begins with a list of the protocol headers in the packet.
A filter definition also includes the policy map; that is, after a class map has been defined, a policy map is needed to bind the match to an action. A policy map is an ordered set of classes and associated actions, such as drop, log, or send ICMP unreachable.
For information on how to configure a class map and a policy map for FPM, see the following section "How to Configure a Flexible Packet Matching Traffic Class and Traffic Policy."
This section contains the following procedures that should be followed when configuring a FPM traffic class and traffic policy within your network:
•Creating a Traffic Class for Flexible Packet Matching
•Creating a Traffic Policy for Flexible Packet Matching
Perform this task to create an FPM traffic class; that is, create a stateless packet classification criteria that, when used in conjunction with an appropriately defined policy, can mitigate network attacks.
Note If the PHDF protocol fields are referenced in the access-control classmap, the stack classmap is required in order to make FPM work properly
1. enable
2. configure terminal
3. load protocol location:filename
4. class-map [type {stack | access-control}] class-map-name [match-all | match-any]
5. description character-string
6. match field protocol protocol-field {eq [mask] | neq [mask] | gt | lt | range range | regex string} value [next next-protocol]
7. match start {l2-start | l3-start} offset number size number
{eq | neq | gt | lt | range range | regex string} value [value2]
8. exit
9. show class-map [type {stack | access-control}] [class-map-name]
To track all FPM events, issue the debug fpm event command.
The following sample output is from the debug fpm event command:
*Jun 21 09:22:21.607: policy-classification-inline(): matches class: class-default *Jun 21 09:22:21.607: packet-access-control(): policy-map: fpm-policy, dir: input, match. retval: 0x0, ip-flags: 0x80000000
After you have defined at least one class map for your network, you must create a traffic policy and apply that policy to an interface as shown in the following task "Creating a Traffic Policy for Flexible Packet Matching."
Perform this task to create an FPM traffic policy and apply the policy to a given interface.
1. enable
2. configure terminal
3. policy-map [type access-control] policy-map-name
4. description character-string
5. class class-name
6. drop
7. service-policy policy-map-name
8. exit
9. interface type name
10. service-policy [type access-control] {input | output} policy-map-name
11. exit
12. show policy-map interface [type access-control] interface-name [input | output]
This section contains the following configuration example:
•Configuring and Verifying FPM on ASR Platform: Example
The following example shows how to configure FPM on the ASR platform.
load protocol bootflash:ip.phdf
load protocol bootflash:tcp.phdf
class-map type stack match-all ip_tcp
match field IP protocol eq 6 next TCP
class-map type access-control match-all test_class
match field TCP dest-port gt 10
match start l3-start offset 40 size 32 regex "ABCD"
policy-map type access-control child
class test_class
drop
policy-map type access-control parent
class ip_tcp
service-policy child
interface GigabitEthernet0/3/0
ip address 10.1.1.1 255.0.0.0
service-policy type access-control input parent
In the following sample output, all TCP packets are seen under the class-map "ip_tcp" and all packets matching the specific pattern are seen under the class-map "test_class." TCP packets without the specific pattern are seen under the child policy "class-default," while all non-TCP packets are seen under the parent policy "class-default." (The counter is 0 in this example.)
Router# show policy-map type access-control interface GigabitEthernet0/3/0
GigabitEthernet0/3/0
Service-policy access-control input: parent
Class-map: ip_tcp (match-all)
2024995578 packets, 170099628552 bytes
5 minute offered rate 775915000 bps
Match: field IP version eq 4
Match: field IP ihl eq 5
Match: field IP protocol eq 6 next TCP
Service-policy access-control : child
Class-map: test_class (match-all)
1598134279 packets, 134243279436 bytes
5 minute offered rate 771012000 bps, drop rate 771012000 bps
Match: field TCP dest-port gt 10
Match: start l3-start offset 40 size 32 regex "ABCD"
drop
Class-map: class-default (match-any)
426861294 packets, 35856348696 bytes
5 minute offered rate 4846000 bps, drop rate 0 bps
Match: any
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Router#
The following sections provide references related to Flexible Packet Matching.
|
|
---|---|
Complete suite of QoS commands |
|
Information about commands listed in this document |
|
|
---|---|
None |
— |
|
|
---|---|
None |
To locate and download MIBs for selected platforms, Cisco IOS XE software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
|
|
---|---|
None |
— |
Table 1 lists the release history for this feature.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS XE software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 1 lists only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS XE software release train. Unless noted otherwise, subsequent releases of that Cisco IOS XE software release train also support that feature.