Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1238
Views
0
Helpful
8
Replies

packet-length filtering

Go to solution
Mollerstrom
Level 1
Level 1

‎02-08-2017 01:19 AM

I’m looking for a way to create and apply outbound filter on a ASR9K (ios-xr is currently 5.3.3 on a ASR9001 in the lab)

I would like to match for example on packet-lenght with an action drop or police traffic

A standard ACL will not work as I understand it, but you are able to match on packet-length in a class-map.

Using policy-map type pbr and class-map type traffic is only supported inbound, so now I wounder if there is another way to create a outbound filter that will match packet-length, tcp-flags, fragment-types

Just a short config example:

policy-map type pbr TEST_VER1

class type traffic PACKET_LENGTH_1

drop

!

end-policy-map

!

class-map type traffic match-all PACKET_LENGTH_1

match packet length ipv4 567

end-class-map

!

Thanks Jonas

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Eddie Chami
Cisco Employee
Cisco Employee

‎02-08-2017 03:23 AM

PBR is the only way to do this ingress at the moment, its not possible egress.

In 6.2.2 you will be able to natively match the pkt length with an ACL(Without PBR), but this is supported on the 800G line cards(Tomahawk). The 9001 is built on the Typhoon Arch, there is no plan to support the packet length matching there.


Regards

Eddie. 

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Eddie Chami
Cisco Employee
Cisco Employee

‎02-08-2017 03:23 AM

PBR is the only way to do this ingress at the moment, its not possible egress.

In 6.2.2 you will be able to natively match the pkt length with an ACL(Without PBR), but this is supported on the 800G line cards(Tomahawk). The 9001 is built on the Typhoon Arch, there is no plan to support the packet length matching there.


Regards

Eddie. 

0 Helpful

Go to solution
Mollerstrom
Level 1
Level 1
In response to Eddie Chami

‎02-08-2017 04:24 AM

Hello Eddie, thanks for the information.

I suppose the same is valid for matching fragments, tcp flags (supported in PBR) ?

Also do you know if the next gen 9001 is based on Tomahawk?

//J

0 Helpful

Go to solution
smailmilak
Level 4
Level 4
In response to Mollerstrom

‎02-08-2017 04:42 AM

There will be 9901 at the end of the year.

It will probably be Tomahawk based HW.

0 Helpful

Go to solution
Aleksandar Vidakovic
Cisco Employee
Cisco Employee
In response to smailmilak

‎02-08-2017 04:59 AM

yes, asr9901 is Tomahawk based.

0 Helpful

Go to solution
Adam Vitkovsky
Level 3
Level 3

‎02-08-2017 11:57 AM

If you want to create an outbound filter that will match packet-length, you can use QOS policing for that purpose.

 

adam
0 Helpful

Go to solution
Mollerstrom
Level 1
Level 1
In response to Adam Vitkovsky

‎02-08-2017 01:08 PM

I don't think that will work if I want to have an drop or police action, it's seams to only be supported in PBR

0 Helpful

Go to solution
Mollerstrom
Level 1
Level 1
In response to Adam Vitkovsky

‎02-09-2017 07:28 AM

Hi Adam, may I ask you for an example?

afaik matching packet length require class-typ traffic

!!% Policy manager does not support this feature: Match type "ip packet-length" not supported for class-map type "qos"

And you can not use a class-map type traffic in a QoS policy
!!% Policy manager does not support this feature: Class-map type "traffic" not supported within policy-map type "qos"

It's working in PBR, but PBR is ingress

//J

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents