homeaboutcontacttestimonialsregistercourse scheduleblog            
Cisco Security: Flexible Packet Matching


February 1, 2010
By Steve Means, CCSP, CCSI# 32951

For a pdf of this article: Flexible Packet Matching


One of the issues facing network and security engineers is defending the network against dynamic threats. This means traffic that
cannot easily be identified by regular means, such as an application that changes layer 4 ports or tunnels within an existing
protocol. Because of this, a solution is needed to match and filter based on specific information within the packet that is unique to
the application you want to block.

Enter “Flexible Packet Matching”, otherwise known as FPM. FPM works by loading XML files called “Protocol Header Description
Files” that define fields within the protocol header: IP, TCP, UDP, ICMP, etc…. Once defined, information within the fields can be
matched and acted on using MQC.

As a simple example, we’re going to allow ICMP but block echo requests that come from with a length greater than

To enable FPM, you need to first load the PHDFs for the protocol stack you’ll be working with. We’ll be using ETHER, IP and
ICMP, so those files are loaded with the “load” command:

load protocol system:/fpm/phdf/ether.phdf
load protocol system:/fpm/phdf/ip.phdf
load protocol system:/fpm/phdf/icmp.phdf

Next you have to tell FPM the correct protocol stack to examine. This is done with a class-map type stack. Notice that we start at
layer 2, match the ethertype for IP, then move to layer 3, matching IP protocol 1 or ICMP.

class-map type stack match-all IP_ICMP
stack-start l2-start
match field ether type eq 0x800 next IP
match field layer 3 IP protocol eq 1 next ICMP

With the stack defined, we’re now free to match the specific information we’re after, FPM uses “class-map type access-control”.


class-map type access-control match-all BAD_ICMP
match field ICMP type eq 8
match field IP length gt 500
match field IP source-addr eq

Now we’ll create a “policy-map type access-control” to drop any traffic that is a part of this class. This policy map is then nested
within another policy map that matches our previously defined protocol stack. It is then applied to the interface:

policy-map type access-control DROP_BAD_ICMP
class BAD_ICMP
policy-map type access-control FPM
class IP_ICMP
service-policy DROP_BAD_ICMP
interface fa0/1
service-policy type access-control input FPM

Verification is simple. First we’ll ping from a router with an interface IP of with no options:

R2# ping
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 50/58/60 ms

The ping is successful as expected. It matches the stack, ICMP type and source address, but not the size. Now we can repeat the
ping, upping the size:

R2# ping size 1000
Type escape sequence to abort.
Sending 5, 1000-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 0 percent (0/5)

This time the packets were dropped. We can further verify by checking the policy-map on the router using FPM. Notice that we
have lots of packets matching the stack class-map, but only our 5 echo requests were dropped:

R1#sho policy-map type access-control interface

Service-policy access-control input: FPM

Class-map: IP_ICMP (match-all)
136 packets, 15468 bytes
5 minute offered rate 0 bps
Match: field ETHER type eq 0x800 next IP
Match: field layer 3 IP protocol eq 1 next ICMP

Service-policy access-control: DROP_BAD_ICMP

Class-map: BAD_ICMP (match-all)
5 packets, 5070 bytes
5 minute offered rate 0 bps
Match: field ICMP type eq 8
Match: field IP length gt 500
Match: field IP source-addr eq -1062729462

This is a fairly basic example that is easy to verify and learn with. FPM can be much more detailed, even going so far as to match
specific strings within the data payload itself. The preferred method of applying this in the field is to sniff the traffic you’re
interested in, find something that is unique to this traffic and match based on it.




375 N. Stephanie Street, Bldg 21 Suite 2111 Henderson, NV 89014
Website: www.ccbootcamp.com Phone: 877.654.2243

For questions or comments about this article please email sales@ccbootcamp.com

CC Bootcamp Twitter
CC Bootcamp Linkedin
Pearson Vue
CONTACT US | TOLL FREE: 1.877.654.2243 or 1.877.NLI.CCIE | INTERNATIONAL: +1.702.968.5100
©2010 Network Learning, Inc. All Rights Reserved.