What is Cisco IOS Flexible Packet Matching (FPM)?
Networks are experiencing increasing sophisticated attacks that require mitigating tools that are as flexible as possible. Cisco IOS Flexible Packet Matching (FPM) is a set of classes and policies that provides pattern matching capability for more granular and customized packet filters for Layer 2 to 7-bit/byte matching capability deep into the packet at any offset within the packet header and payload.
Put simply, it is a powerful, easy, and rapid deployment mechanism that enables users to specify criteria to match against any part of a packet (header and payload) and define the action to take. In short, FPM is able to classify a packet based on its characteristics and take appropriate action.
How does Cisco IOS Flexible Packet Matching Work?
Cisco IOS Flexible Packet Matching (FPM) uses the following characteristics to ensure users successfully mitigate attacks.
• Is a stateless solution and inspects one packet at a time.
• Matches on all static packet characteristics like protocol, port, IP address.
• Uses a Protocol Header Description File (PHDF) that allows the user to define a class match criteria based on any field in the protocol header.
• Supports an offset, size and string keywords, and regular expressions (regex) to allow the user to match on strings or bytes in the packet payload.
• Uses class-map and policy-map configuration syntax to specify the protocol stack, the match criteria and action to take.
Protocol Header Description File (PHDF)
A PHDF defines each field contained in a particular protocol’s header. Each field is described with a name, optional comment, offset, and length.
The offset is always specified from the beginning of the header. Both the offset field and the length field may be specified either in terms of bits or
Standard PHDFs available to be loaded include: ether.phdf, ip.phdf, tcp.phdf, and udp.phdf. These PHDFs provide Layer 2–4 protocol definition.
Users may write their own custom PHDFs off-box using the XML language to provide the desired protocol definition through Layer 7.
Steps to Configure Cisco IOS Flexible Packet Matching (FPM)
Step 1. Load the protocol header description file(s) (PHDF)
Router(config)# load protocol system:udp.phdf
Step 2. Define the protocol stack (IP-UDP, IP-TCP, etc.)
Router(config)# class-map type stack ip-udp match-all
Router(config-cmap)# match field ip protocol eq 0x11 next udp
Step 3. Define FPM match criteria filter (class-map)
Router(config)# class-map type access-control slammer match-all
Router(config-cmap)# description "match on slammer packets"
Router(config-cmap)# match field udp dest-port eq 1434
Router(config-cmap)# match start l3-start offset 224 size 4 eq 0x4011010
Step 4. Define action to take on classes (service-map)
Router(config)# policy-map type access-control fpm-udp-policy
Router(config-pmap)# description "policy for UDP based attacks"
Router(config-pmap)# class slammer
Router(config)# policy-map type access-control fpm-policy
Router(config-pmap)# class ip_udp
Router(config-pmap-c)# service policy fpm-udp-policy
Step 5. Apply service policy to an interface
Router(config)# interface gigabitEthernet 0/1
Router(config-if)# service-policy type access-control input fpm-policy