What's the difference between ACL and FPM? In detail, please, but in a simple, easy-to-understand way.
Cisco – The Difference Between ACL and FPM
aclciscoipv4routerSecurity
Related Topic
- Firewall – FloodLight OpenFlow controller – ACLs, Firewall, static rules – what is the difference between them
- Combining Route-Map and ACL on Cisco Devices – Best Practices
- ACL on Trunk Port – Security Configuration
- Cisco – ACL not working HELP!
- Ethernet Link vs Serial Link – Key Differences
- Serial DCE vs Serial DTE – Differences Between Serial DCE and Serial DTE Links
Best Answer
I assume you're asking to compare Cisco Access Control Lists (ACL) and Cisco Flexible Packet Matching (FPM).
Packets contain a number of fields, such as:
ACLs
Traditional ACLs can only permit or deny based on a limited number of fields (some of most commonly used fields are listed above); these fields are well-known throughout the internet. However, traditional ACLs cannot filter inside the payload of an IP packet, for instance if someone wanted to block certain kinds of Tibco RV UDP Multicast payloads, it's impossible to do so with traditional ACLs. Traditional ACLs look like this...
FPM
However, FPM can block / allow on any bit inside a single packet header or payload1, as long as there is a valid PHDL file loaded for the field that needs to be blocked or allowed. FPM can define a hierarchy of classes and policies to implement very granular control over the packets that are allowed or denied.
This is an example policy, taken from the FPM docs, which matches a UDP packets sent by the Slammer Worm. It would be impossible to block the hosts infected with the Slammer Worm using ACLs unless you block both good and bad SQL traffic by individual IP source addresses.
End Notes:
1 FPM's limitation of inspecting a single IP packet is non-trivial, since that means it's possible to circumvent FPM if an attack manages to split the attack signatures across multiple IP fragments, or TCP packets (since the TCP stream is reassembled at the receiver). That said, it's a still very powerful tool as long as you understand the limitations of the technology.