-
Cisco IOS Security Configuration Guide: Securing the Data Plane, Release 12.4T
-
Automatic Signature Extraction
-
Cisco IOS Firewall Overview
-
Access Control Lists (ACLs)
-
IP Access List Features Roadmap
-
IP Access List Overview
-
Creating an IP Access List and Applying It to an Interface
-
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values
-
ACL Syslog Correlation
-
Refining an IP Access List
-
Object Groups for ACLs
-
Displaying and Clearing IP Access List Data Using ACL Manageability
-
Controlling Access to a Virtual Terminal Line
-
Access List-Based RBSCP
-
ACL IP Options Selective Drop
-
ACL Authentication of Incoming rsh and rcp Requests
-
-
Configuring IP Session Filtering (Reflexive Access Lists)
-
Configuring Lock-and-Key Security (Dynamic Access Lists)
-
Context-Based Access Control
-
Configuring Context-based Access Control
-
Application Firewall - Instant Message Traffic Enforcement
-
Cisco IOS Firewall MIB
-
Cisco IOS Firewall Performance Improvements
-
Cisco IOS Firewall Stateful Failover
-
Cisco IOS Firewall Support for TRP
-
Email Inspection Engine
-
ESMTP Support for Cisco IOS Firewall
-
Firewall ACL Bypass
-
Firewall N2H2 Support
-
Firewall Stateful Inspection of ICMP
-
Firewall Support for SIP
-
Firewall Support of Skinny Client Control Protocol (SCCP)
-
Firewall Websense URL Filtering
-
Granular Protocol Inspection
-
HTTP Inspection Engine
-
Inspection of Router-Generated Traffic
-
TCP Out-of-Order Packet Support for Cisco IOS Firewall and Cisco IOS IPS
-
Transparent Cisco IOS Firewall
-
Virtual Fragmentation Reassembly
-
VRF Aware Cisco IOS Firewall
-
-
Zone-Based Policy Firewall
-
Zone-Based Policy Firewall
-
Cisco IOS Firewall H.323 Support
-
H.323 RAS Support in Cisco IOS Firewall
-
Cisco IOS Firewall: SIP Enhancements: ALG and AIC
-
Application Inspection and Control for SMTP
-
Subscription-based Cisco IOS Content Filtering
-
Cisco IOS Firewall Support for Skinny Local Traffic and CME
-
User Based Firewall Support
-
- Cisco IOS Intrusion Prevention System (IPS)
- Flexible Packet Matching
-
Configuring IP Security Options
-
Configuring Port to Application Mapping
-
Configuring TCP Intercept (Preventing Denial-of-Service Attacks)
- Unicast Reverse Path Forwarding (uRPF)
- Threat Information Distribution Protocol (TIDP) and TMS
-
Table Of Contents
Prerequisites for Flexible Packet Matching
Restrictions for Flexible Packet Matching
Information About Flexible Packet Matching
Flexible Packet Matching Functional Overview
Protocol Header Description File
Traffic Classification Definition Files (TCDFs) for the Flexible Packet Matching XML Configuration
FPM on The Catalyst 6500 Equipped with PISA Overview
Full Packet FPM Search Window Increase
How to Configure a Flexible Packet Matching Traffic Class and Traffic Policy
Creating a Traffic Class for Flexible Packet Matching
Creating a Traffic Policy for Flexible Packet Matching
Copying a Matched Packet To a Different Destination Interface
Redirecting a Matched Packet To a Different Destination Interface
Configuring Packaging Support for Flexible Packet Matching
Configuration Examples for FPM Configuration
Configuring FPM for Slammer Packets: Example
Configuring FPM for Blaster Packets: Example
Configuring FPM for MyDoom Packets: Example
Configuring and Verifying FPM on ASR Platform: Example
Verifying FPM Package Support: Example
Feature Information for Flexible Packet Matching
Flexible Packet Matching
First Published: October 31, 2006Last Updated: October 2, 2009Flexible Packet Matching (FPM) is the next generation access control list (ACL) pattern matching tool, providing more thorough and customized packet filters. FPM enables users to match on arbitrary bits of a packet at an arbitrary depth in the packet header and payload. FPM removes constraints to specific fields that had limited packet inspection.
FPM is useful because it enables users to create their own stateless packet classification criteria and to define policies with multiple actions (such as drop, log, or send Internet Control Message Protocol [ICMP] unreachable1 ) to immediately block new viruses, worms, and attacks.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Flexible Packet Matching" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for Flexible Packet Matching
•
•
•
•
•
Prerequisites for Flexible Packet Matching
•
•
•
Restrictions for Flexible Packet Matching
•
•
•
•
•
•
•
•
•
•
•
•
Restrictions For the ASR Platform in Cisco IOS XE Release 2.2
•
•
•
•
Information About Flexible Packet Matching
Before configuring FPM, you should understand the following concept:
•
•
•
•
Flexible Packet Matching Functional Overview
FPM allows customers to create their own filtering policies that can immediately detect and block new viruses and attacks.
A filtering policy is defined via the following tasks:
•
•
•
•
Protocol Header Description File
Protocol headers are defined in separate files called PHDFs; the field names that are defined within the PHDFs are used for defining the packet filters. A PHDF is a file that allows the user to leverage the flexibility of XML to describe almost any protocol header. The important components of the PHDF are the version, the XML file schema location, and the protocol field definitions. The protocol field definitions name the appropriate field in the protocol header, allow for a comment describing the field, provide the location of the protocol header field in the header (the offset is relative to the start of the protocol header), and provide the length of the field. Users can choose to specify the measurement in bytes or in bits.
Note
Note
Users can write their own custom PHDFs via XML for existing or proprietary protocols. However, the following standard PHDFs can also be loaded onto the router via the load protocol command: ip.phdf, ether.phdf, tcp.phdf, and udp.phdf.
Note
Standard PHDFs are available on Cisco.com at the following URL:
http://www.cisco.com/cgi-bin/tablebuild.pl/fpmFilter Description
A filter description is a definition of a traffic class that can contain the header fields defined in a PHDF (using the match field command). If a PHDF is not loaded, the traffic class can be defined via the datagram header start (Layer 2) or the network header start (Layer 3) (using the match start command). If a PHDF has been loaded onto the router, the class specification begins with a list of the protocol headers in the packet.
A filter definition also includes the policy map; that is, after a class map has been defined, a policy map is needed to bind the match to an action. A policy map is an ordered set of classes and associated actions, such as drop, log, or send ICMP unreachable.
For information on how to configure a class map and a policy map for FPM, see the following section "How to Configure a Flexible Packet Matching Traffic Class and Traffic Policy."
Traffic Classification Definition Files (TCDFs) for the Flexible Packet Matching XML Configuration
FPM uses a traffic classification definition file (TCDF) to define policies that can block attacks on the network. Before Cisco IOS Release 12.4(6)T, FPM defined traffic classes (class maps), policies (policy maps), and service policies (attach policy maps to class maps) through the use of CLI commands. With TCDFs, FPM can use XML as an alternative to the CLI to define classes of traffic and specify actions to apply to the traffic classes. Traffic classification behavior is the same whether you create the behavior using a TCDF or configure it using CLI commands. Once a TCDF is created, it can be loaded on any FPM-enabled device in the network.
Note
For more information on configuring FPM using TCDFs, see Flexible Packet Matching XML Configuration.
FPM on The Catalyst 6500 Equipped with PISA Overview
The PISA functions as a network-processor based daughter card that is mounted on the Catalyst 6500 Supervisor. PISA provides a superset of the multilater switch feature card 2a (MSFC2a) capabilities. In addition to performing all of the same functions as the MSFC2a, PISA also provides a dedicated hardware to accelerate certain features, such as FPM.
Network-Based Application Recognition (NBAR) occurs before FPM; thus, packets that are dropped by FPM are processed by NBAR.
Logging FPM Activity
In software-based FPM logging, every flow is logged and aggregated statistics are provided for each flow. Logging every flow for FPM on PISA would overwhelm the CPU; thus, only selective packets are logged. That is, when a packet matches a policy that is to be logged or the first time, the packet is logged, time-stamped, and stored. For every subsequent packet that matches any policy with a log action, the packet is checked for the difference between the current time (which is clocked by the global timer) and the last time stamp. If the current time is greater than the last time stamp, the packet is logged and the "stamp time" is updated with the current time.
Memory Requirements
Note
•
•
•
Encrypted TCDF Support
Traffic Classification Definition Files (TCDFs) provide pre-configured FPM filters written in XML format which can be directly loaded onto a router. The XML format prohibits the Cisco Product Security Incident Response Team (PSIRT) from being able to provide public TCDF filters as it would expose the vulnerability to potential attackers. This information could then be used to exploit PSIRT vulnerabilities in some systems.
FPM encrypted TCDF (eTCDF) filter support will provide encrypted FPM filters. Applying the PSIRT provided eTCDF FPM filter will protect routers from PSIRT incidents allowing time to certify new IOS releases that contains the PSIRT fixes.
To access eTCDFs you configure the router using the time-range command to periodically check for package updates. At the specified time the router connects to the server containing the FPM packages to request the latest version. When the router gets feedback from the server it compares the FPM packet version number from the server with the local FPM packet version. If there is an updated package on the server the router downloads the package content, replacing the old package with the new package and updating the local configuration.
TCDF Packaging Support
TCDFs are FPM filters in XML format, each TCDF file is designed to filter for a single individual worm or virus. TCDF packaging support provides packages containing at least one or more worm or virus filters and efficiently updates FPM filters as threat characteristics change. When FPM filters are updated all systems in a network are automatically updated. This reduces the the amount of router configuration needed to deploy FRM filters.
Full Packet FPM Search Window Increase
FPM now supports searching for patterns up to 256 bytes long anywhere within the entire packet. Also, the number of filters that can be configured per class map has increased from 8 to 32. The additional filters can help offset adverse CPU performance that may occur if the "window" for pattern searching is increased. This will also allow FPM users to take advantage of the regex strings used by IPS in their signatures.
How to Configure a Flexible Packet Matching Traffic Class and Traffic Policy
This section contains the following procedures that should be followed when configuring a FPM traffic class and traffic policy within your network:
•
•
•
Creating a Traffic Class for Flexible Packet Matching
Perform this task to create an FPM traffic class; that is, create a stateless packet classification criteria that, when used in conjunction with an appropriately defined policy, can mitigate network attacks.
Note
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
{eq | neq | gt | lt | range range | regex string} value [value2]8.
9.
DETAILED STEPS
Troubleshooting Tips
To track all FPM events, issue the debug fpm event command.
The following sample output is from the debug fpm event command:
*Jun 21 09:22:21.607: policy-classification-inline(): matches class: class-default *Jun 21 09:22:21.607: packet-access-control(): policy-map: fpm-policy, dir: input, match. retval: 0x0, ip-flags: 0x80000000What to Do Next
After you have defined at least one class map for your network, you must create a traffic policy and apply that policy to an interface as shown in the following task "Creating a Traffic Policy for Flexible Packet Matching."
Creating a Traffic Policy for Flexible Packet Matching
Perform this task to create an FPM traffic policy and apply the policy to a given interface.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
DETAILED STEPS
Copying a Matched Packet To a Different Destination Interface
Perform this task to configure a traffic class to copy packets belonging to a specific class to a different destination interface.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
DETAILED STEPS
Redirecting a Matched Packet To a Different Destination Interface
Perform this task to configure a traffic class to redirect packets belonging to a specific class to a different destination.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
DETAILED STEPS
Configuring Packaging Support for Flexible Packet Matching
Perform this task to configure FPM packaging support.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
DETAILED STEPS
Configuration Examples for FPM Configuration
This section contains the following configuration examples:
•
•
•
•
•
Configuring FPM for Slammer Packets: Example
The following example shows how to define FPM traffic classes for slammer packets (UDP port 1434). The match criteria defined within the class maps is for slammer packets with an IP length not to exceed 404 bytes, UDP port 1434, and pattern 0x4011010 at 224 bytes from start of IP header. This example also shows how to define the service policy "fpm-policy" and apply it to the Gigabit Ethernet interface. Show commands have been issued to verify the FPM configuration. (Note that PHDFs are not displayed in show output because they are in XML format.)
Router(config)# load protocol disk2:ip.phdfRouter(config)# load protocol disk2:udp.phdfRouter(config)# class-map type stack match-all ip-udpRouter(config-cmap)# description "match UDP over IP packets"Router(config-cmap)# match field ip protocol eq 0x11 next udpRouter(config)# class-map type access-control match-all slammerRouter(config-cmap)# description "match on slammer packets"Router(config-cmap)# match field udp dest-port eq 0x59ARouter(config-cmap)# match field ip length eq 0x194Router(config-cmap)# match start l3-start offset 224 size 4 eq 0x4011010Router(config)# policy-map type access-control fpm-udp-policyRouter(config-pmap)# description "policy for UDP based attacks"Router(config-pmap)# class slammerRouter(config-pmap-c)# dropRouter(config)# policy-map type access-control fpm-policyRouter(config-pmap)# description "drop worms and malicious attacks"Router(config-pmap)# class ip-udpRouter(config-pmap-c)# service-policy fpm-udp-policyRouter(config)# interface gigabitEthernet 0/1Router(config-if)# service-policy type access-control input fpm-policyRouter# show policy-map type access-control interface gigabit 0/1GigabitEthernet0/1Service-policy access-control input: fpm-policyClass-map: ip-udp (match-all)0 packets, 0 bytes3 minute offered rate 0 bpsMatch: field IP protocol eq 0x11 next UDPService-policy access-control : fpm-udp-policyClass-map: slammer (match-all)0 packets, 0 bytes3 minute offered rate 0 bps, drop rate 0 bpsMatch: field UDP dest-port eq 0x59AMatch: field IP length eq 0x194Match: start l3-start offset 224 size 4 eq 0x4011010dropClass-map: class-default (match-any)0 packets, 0 bytes3 minute offered rate 0 bps, drop rate 0 bpsMatch: anyClass-map: class-default (match-any)0 packets, 0 bytes3 minute offered rate 0 bps, drop rate 0 bpsMatch: anyRouter# show protocol phdf ipProtocol ID: 1Protocol name: IPDescription: Definition-for-the-IP-protocolOriginal file name: disk2:ip.phdfHeader length: 20Constraint(s):Total number of fields: 12Field id: 0, version, IP-versionFixed offset. offset 0Constant length. Length: 4Field id: 1, ihl, IP-Header-LengthFixed offset. offset 4Constant length. Length: 4Field id: 2, tos, IP-Type-of-ServiceFixed offset. offset 8Constant length. Length: 8Field id: 3, length, IP-Total-LengthFixed offset. offset 16Constant length. Length: 16Field id: 4, identification, IP-IdentificationFixed offset. offset 32Constant length. Length: 16Field id: 5, flags, IP-Fragmentation-FlagsFixed offset. offset 48Constant length. Length: 3Field id: 6, fragment-offset, IP-Fragmentation-OffsetFixed offset. offset 51Constant length. Length: l3Field id: 7, ttl, Definition-for-the-IP-TTLFixed offset. offset 64Constant length. Length: 8Field id: 8, protocol, IP-ProtocolFixed offset. offset 72Constant length. Length: 8Field id: 9, checksum, IP-Header-ChecksumFixed offset. offset 80Constant length. Length: 16Field id: 10, source-addr, IP-Source-AddressFixed offset. offset 96Constant length. Length: 32Field id: 11, dest-addr, IP-Destination-AddressFixed offset. offset 128Constant length. Length: 32Router# show protocol phdf udpProtocol ID: 3Protocol name: UDPDescription: UDP-ProtocolOriginal file name: disk2:udp.phdfHeader length: 8Constraint(s):Total number of fields: 4Field id: 0, source-port, UDP-Source-PortFixed offset. offset 0Constant length. Length: 16Field id: 1, dest-port, UDP-Destination-PortFixed offset. offset 16Constant length. Length: 16Field id: 2, length, UDP-LengthFixed offset. offset 32Constant length. Length: 16Field id: 3, checksum, UDP-ChecksumFixed offset. offset 48Constant length. Length: 16Configuring FPM for Blaster Packets: Example
The following example shows how to configure FPM for blaster packets. The class map contains the following match criteria: TCP port 135, 4444 or UDP port 69; and pattern 0x0030 at 3 bytes from start of IP header.
Router(config)# load protocol disk2:ip.phdfRouter(config)# load protocol disk2:tcp.phdfRouter(config)# load protocol disk2:udp.phdfRouter(config)# class-map type stack match-all ip-tcpRouter(config-cmap)# match field ip protocol eq 0x6 next tcpRouter(config)# class-map type stack match-all ip-udpRouter(config-cmap)# match field ip protocol eq 0x11 next udpRouter(config)# class-map type access-control match-all blaster1Router(config-cmap)# match field tcp dest-port eq 135Router(config-cmap)# match start l3-start offset 3 size 2 eq 0x0030Router(config)# class-map type access-control match-all blaster2Router(config-cmap)# match field tcp dest-port eq 4444Router(config-cmap)# match start l3-start offset 3 size 2 eq 0x0030Router(config)# class-map type access-control match-all blaster3Router(config-cmap)# match field udp dest-port eq 69Router(config-cmap)# match start l3-start offset 3 size 2 eq 0x0030Router(config)# policy-map type access-control fpm-tcp-policyRouter(config-pmap)# class blaster1Router(config-pmap-c)# dropRouter(config-pmap-c)# class blaster2Router(config-pmap-c)# dropRouter(config)# policy-map type access-control fpm-udp-policyRouter(config-pmap)# class blaster3Router(config-pmap-c)# dropRouter(config)# policy-map type access-control fpm-policyRouter(config-pmap)# class ip-tcpRouter(config-pmap-c)# service-policy fpm-tcp-policyRouter(config-pmap)# class ip-udpRouter(config-pmap-c)# service-policy fpm-udp-policyRouter(config)# interface gigabitEthernet 0/1Router(config-if)# service-policy type access-control input fpm-policyConfiguring FPM for MyDoom Packets: Example
The following example shows how to configure FPM for MyDoom packets. The match criteria is as follows:
•
•
or
•
•
•
Router(config)# load protocol disk2:ip.phdfRouter(config)# load protocol disk2:tcp.phdfRouter(config)# class-map type stack match-all ip-tcpRouter(config-cmap)# match field ip protocol eq 0x6 next tcpRouter(config)# class-map type access-control match-all mydoom1Router(config-cmap)# match field ip length gt 44Router(config-cmap)# match field ip length lt 90Router(config-cmap)# match start l3-start offset 40 size 4 eq 0x47455420Router(config)# class-map type access-control match-all mydoom2Router(config-cmap)# match field ip length gt 44Router(config-cmap)# match start l3-start offset 40 size 4 eq 0x47455420Router(config-cmap)# match start l3-start offset 78 size 4 eq 0x6d3a3830Router(config)# policy-map type access-control fpm-tcp-policyRouter(config-pmap)# class mydoom1Router(config-pmap-c)# dropRouter(config-pmap-c)# class mydoom2Router(config-pmap-c)# dropRouter(config)# policy-map type access-control fpm-policyRouter(config-pmap)# class ip-tcpRouter(config-pmap-c)# service-policy fpm-tcp-policyRouter(config)# interface gigabitEthernet 0/1Router(config-if)# service-policy type access-control input fpm-policyConfiguring and Verifying FPM on ASR Platform: Example
The following example shows how to configure FPM on the ASR platform.
load protocol bootflash:ip.phdfload protocol bootflash:tcp.phdfclass-map type stack match-all ip_tcpmatch field IP protocol eq 6 next TCPclass-map type access-control match-all test_classmatch field TCP dest-port gt 10match start l3-start offset 40 size 32 regex "ABCD"policy-map type access-control childclass test_classdroppolicy-map type access-control parentclass ip_tcpservice-policy childinterface GigabitEthernet0/3/0ip address 10.1.1.1 255.0.0.0service-policy type access-control input parentIn the following sample output, all TCP packets are seen under the class-map "ip_tcp" and all packets matching the specific pattern are seen under the class-map "test_class." TCP packets without the specific pattern are seen under the child policy "class-default," while all non-tcp packets are seen under the parent policy "class-default." (The counter is 0 in this example.)
Router# show policy-map type access-control interface gig0/3/0GigabitEthernet0/3/0Service-policy access-control input: parentClass-map: ip_tcp (match-all)2024995578 packets, 170099628552 bytes5 minute offered rate 775915000 bpsMatch: field IP version eq 4Match: field IP ihl eq 5Match: field IP protocol eq 6 next TCPService-policy access-control : childClass-map: test_class (match-all)1598134279 packets, 134243279436 bytes5 minute offered rate 771012000 bps, drop rate 771012000 bpsMatch: field TCP dest-port gt 10Match: start l3-start offset 40 size 32 regex "ABCD"dropClass-map: class-default (match-any)426861294 packets, 35856348696 bytes5 minute offered rate 4846000 bps, drop rate 0 bpsMatch: anyClass-map: class-default (match-any)0 packets, 0 bytes5 minute offered rate 0 bps, drop rate 0 bpsMatch: anyRouter#Verifying FPM Package Support: Example
The following example shows how to verify FPM Package support.
Router# show fpm package-infofpm package-infohost 10.0.0.1remote-path fpm-group/local-path archive/user ciscopasswordprotocoltime-range weeklyRouter# show fpm package-groupgroup name: fpm-weekly-updateauto-loadfpm package: fpm-package-45fpm package: fpm-group-securepackage action: logAdditional References
The following sections provide references related to Flexible Packet Matching.
Related Documents
Configuring FPM using traffic classification definition files (TCDFs).
Complete suite of QoS commands
Standards
MIBs
None
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
Technical Assistance
Feature Information for Flexible Packet Matching
Table 1 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
Table 1 Feature Information for Flexible Packet Matching
Flexible Packet Matching
12.4(4)T
12.2(18)ZY
Cisco IOS XE
Release 2.2FPM is a packet classification feature that allows users to define one or more classes of network traffic by pairing a rich set of standard matching operators with user-defined protocol header fields.
In Cisco IOS Release 12.2(18)ZY, FPM was implemented on the Catalyst 6500 series of switches equipped with the PISA.
In Cisco IOS XE Release 2.2, FPM was introduced on Cisco ASR 1000 Series Routers.
The following sections provide information about this feature:
•
•
The following commands were introduced or modified:
class (policy-map) , class-map, debug fpm event, description (class-map), load protocol, match field, match start, policy-map, service-policy, show class-map, show policy-map interface, show protocol phdf, copy interface, redirect interface
FPM Full Packet Filtering
12.4(15)T
In Cisco IOS Release 12.4(15)T, FPM now supports searching for patterns up to 56 bytes long anywhere within the entire packet. Prior to 12.4(15)T, FPM only supported searching for patterns up to 32 bytes long within the first 256 bytes of the packet.
Enhance FPM Search Window Size To 128 bytes
12.2(18)ZYA
FPM now supports searching for patterns up to 128 bytes long anywhere within the entire packet. Also, the number of filters that can be configured per class map has increased from 8 to 32. The additional filters can help offset adverse CPU performance that may occur if the "window" for pattern searching is increased. (However, some optimizations for better performance are possible with match-any type of class maps that have filters starting at same the same offset and the same size.)
FPM copy or redirect matched packets
12.2(18)ZYA1
When a match of the policy is found, the packet can be redirected to a different destination or a copy of the packet can be sent to a different destination.
This is possible with the copy interface and redirect interface commands introduced in this release.
The actions supported in this release are drop, log, copy, redirect, drop and log, copy and log, redirect and log.
FPM- Packaging, eTCDF and Full Packet Search Enhancements
15.0(1)M
FPM- Packaging, eTCDF and Full Packet Search Enhancements provide pre-configured FPM filters written in XML format which can be directly loaded onto a router.
The following sections provide information about this feature:
•
•
•
The following commands were introduced or modified: fpm package-group, fpm package-info, show fpm-package-group, show fpm package-info.
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Pulse, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Fast Step, Follow Me Browsing, FormShare, GainMaker, GigaDrive, HomeLink, iLYNX, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0908R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007—2009 Cisco Systems, Inc. All rights reserved1 Send ICMP unreachable is currently not supported on the Supervisor Engine 32 PISA.
