Welcome on my very first post on my new fresh technical blog!
This post shows different ways of how to match packets based on their length. While this may not be very common in real production, you will find it useful during your CCIE preparations.
Below is a summary of this post:

Matching packets based on their size

There are 3 ways (at least, those that I am aware of) to match packets by their size:

1. Modular QoS CLI (MQC)

In the following example, we are given the task to limit to 500 Kbps all the packets that are over 1000 bytes in size. Using the MQC, you create a class-map matching the length of the packet, then create a policy-map to apply the police action to this class and finally apply it to on interface:

class-map match-all CLASS_BIG_PKTS
 match packet length min 1300

policy-map MY_POLICY
    police 500000

After applying the service-policy to an interface, you may tested by ICMP with packets of different sizes. To verify it, use the following command:

Router-1#sh policy-map inter fa0/0

  Service-policy output: MY_POLICY

    Class-map: CLASS_BIG_PKTS (match-all)
      10 packets, 10150 bytes
      5 minute offered rate 2000 bps, drop rate 0 bps
      Match: packet length min 1000
          cir 500000 bps, bc 15625 bytes
        conformed 10 packets, 10150 bytes; actions: transmit
        exceeded 0 packets, 0 bytes; actions:
        conformed 2000 bps, exceed 0 bps

    Class-map: class-default (match-any)
      26 packets, 2310 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

2. Policy Based Routing (PBR)

Using route-maps gives you also the possibility to match packets by their sizes. In the below example, all ICMP packets with size between 200 and 1200 will be dropped:

ip access-list extended ACL_ICMP
 permit icmp any any

route-map PBR_ICMP permit 10
 match ip address ACL_ICMP
 match length 200 1200
 set interface Null0

interface Serial0/0.1 multipoint
 ip policy route-map PBR_ICMP

To verify it, initiate pings with diferrent sizes and then check the route-map on the router:

Router-1#sh route-map
route-map PBR_ICMP, permit, sequence 10
  Match clauses:
    ip address (access-lists): ACL_ICMP
    interface FastEthernet0/0
    length 200 1200
  Set clauses:
    interface Null0
  Policy routing matches: 10 packets, 1290 bytes

3. Flexible Packet Matching (FPM)

Flexible Packet Matching is a solution that is belongs more to the Security rather than Routing & Switching and I'm not going to go into many details about it (maybe a separate post ?). Here's a quick referrence about it:

FPM is a set of classes and policies that provides pattern matching capability for more granular and customized packet filters for Layer 2 to 7, bit/byte matching capability, deep into the packet at any offset within the packet header and payload.

Flexible Packet Matching - configuration steps:
  • Step 1. Load the protocol header description file(s) (PHDF)
  • Step 2. Define the protocol stack (IP-UDP, IP-TCP, etc.)
  • Step 3. Define FPM match criteria filter (class-map)
  • Step 4. Define action to take on classes (service-map)
  • Step 5. Apply service policy to an interface

Here is the Cisco Documentation for FPM !