Preview Tool

Cisco Bug: CSCtd85335 - FPM with match statement for IP length gt doesn't work

Last Modified

Jan 30, 2017

Products (1)

  • Cisco IOS

Known Affected Releases


Description (partial)


FPM is configured to block a packet that is larger than a given size. This configuration doesn't work if the gt keyword is used. 


FPM is configured. A match statement is configured to match traffic that has an ip length that is greater than X. Your config may look like this:

Router(config)# class-map type stack match-all ip-udp
Router(config-cmap)# description "match UDP over IP packets"
Router(config-cmap)# match field ip protocol eq 0x11 next udp

Router(config)# class-map type access-control match-all slammer
Router(config-cmap)# description "match on slammer packets"
Router(config-cmap)# match field udp dest-port eq 0x59A
Router(config-cmap)# match field ip length gt 0x194
Router(config-cmap)# match start l3-start offset 224 size 4 eq 0x4011010

Router(config)# policy-map type access-control fpm-udp-policy
Router(config-pmap)# description "policy for UDP based attacks"
Router(config-pmap)# class slammer
Router(config-pmap-c)# drop

Router(config)# policy-map type access-control fpm-policy
Router(config-pmap)# description "drop worms and malicious attacks"
Router(config-pmap)# class ip-udp
Router(config-pmap-c)# service-policy fpm-udp-policy

The problem is with this command "match field ip length gt 0x194". In the config this is supposed to block packets that are longer than 404 bytes. However this configuration will not block the matching traffic.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.