Ubaid,
I was able to get this working in 12.4(24)T2 and 12.4(15)T9. I will state
that most likely they are using 12.4(15)T in the lab right now. Ubaid did
you use the same configuration as I am showing below?
R7(config-if)#
Jan 5 19:54:12.286: %SEC-6-IPACCESSLOGP: list TCP_FLAGS permitted tcp
192.1.57.5(46747) (FastEthernet0/0 ) -> 7.7.7.7(23), 1 packet
R7(config-if)#end
R7#show policy-map type access-control interface Fa0/0
FastEthernet0/0
Service-policy access-control input: FPM
Class-map: TCP (match-all)
10 packets, 609 bytes
5 minute offered rate 0 bps
Match: field IP protocol eq 0x6 next TCP
Service-policy access-control : SYN-ACK
Class-map: TCP_FLAGS (match-all)
1 packets, 60 bytes
5 minute offered rate 0 bps
Match: field TCP control-bits eq 2
log
Class-map: class-default (match-any)
9 packets, 549 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Class-map: class-default (match-any)
11 packets, 850 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
R7#
I then did a slight modification and was able to accomplish this same thing
with the mask for the SYN-ACK
R7(config-if)#
Jan 5 20:06:46.116: %SEC-6-IPACCESSLOGP: list TCP_SYN_ACK permitted tcp
5.5.5.5(23) (FastEthernet0/0 ) -> 192.1.201.16(61530), 1 packet
R7(config-if)#end
R7#show policy-map type access-control int f0/0
FastEthernet0/0
Service-policy access-control input: FPM
Class-map: TCP (match-all)
6 packets, 397 bytes
5 minute offered rate 0 bps
Match: field IP protocol eq 0x6 next TCP
Service-policy access-control : SYN-ACK
Class-map: TCP_FLAGS (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps
Match: field TCP control-bits eq 2
log
Class-map: TCP_SYN_ACK (match-all)
1 packets, 60 bytes
5 minute offered rate 0 bps
Match: field TCP control-bits eq 2 mask 0x10
log
Class-map: class-default (match-any)
5 packets, 337 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Class-map: class-default (match-any)
5 packets, 370 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
R7#
I then applied this same configuration to a router running 12.4(15)T9 worked
like a charm
R8#
*Jan 5 21:09:28.223: %SYS-5-CONFIG_I: Configured from console by console
R8#
*Jan 5 21:09:36.931: %SEC-6-IPACCESSLOGP: list TCP_FLAGS permitted tcp
192.1.68.6(11180) (FastEthernet0/1 ) -> 8.8.8.8(23), 1 packet
R8#telnet 6.6.6.6
Trying 6.6.6.6 ... Open
Password required, but none set
*Jan 5 21:09:57.487: %SEC-6-IPACCESSLOGP: list TCP_SYN_ACK permitted tcp
6.6.6.6(23) (FastEthernet0/1 ) -> 192.1.68.8(32691), 1 packet
[Connection to 6.6.6.6 closed by foreign host]
R8#
R8#show policy-map type access-control int f0/1
FastEthernet0/1
Service-policy access-control input: FPM
Class-map: TCP (match-all)
22 packets, 1366 bytes
5 minute offered rate 0 bps
Match: field IP protocol eq 0x6 next TCP
Service-policy access-control : SYN-ACK
Class-map: TCP_FLAGS (match-all)
1 packets, 60 bytes
5 minute offered rate 0 bps
Match: field TCP control-bits eq 2
log
Class-map: TCP_SYN_ACK (match-all)
1 packets, 60 bytes
5 minute offered rate 0 bps
Match: field TCP control-bits eq 2 mask 0x10
log
Class-map: class-default (match-any)
20 packets, 1246 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Class-map: class-default (match-any)
8 packets, 752 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
R8#
Regards,
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: tsc...@ipexpert.com
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
-----Original Message-----
From: Ubaid Iftikhar [mailto:mag...@bigpond.net.au]
Sent: Tuesday, January 05, 2010 9:28 AM
To: Tyson Scott
Cc: Partha Palanisamy (psarathi); imran mohammed; Cisco certification
Subject: Re: FPM configuration
What you said was 200% right there might be some bug here.
I don't think it is a security since we are using it just to match
traffic.I would like to see more examples of FPM with bit matching to
help clear my own concepts.
Matching sync-ack or just ack didn't work for me at all.
Regards,
Ubaid Iftikhar
Sent from my iPhone
On 06/01/2010, at 1:07 AM, "Tyson Scott" <tsc...@ipexpert.com> wrote:
> Ubaid,
>
> I will test because what I stated is based off of the actual
> binary. I
> didn't test this. If you have to have the masks as shown by Partha
> for the
> feature then that kind of sucks that it is lacking understanding. I
> will
> test with 12.4(24)T2 and get back with you guys on this one too.
>
> Regards,
>
> Tyson Scott - CCIE #13513 R&S, Security, and SP
> Technical Instructor - IPexpert, Inc.
> Mailto: tsc...@ipexpert.com
> Telephone: +1.810.326.1444, ext. 208
> Live Assistance, Please visit: www.ipexpert.com/chat
> eFax: +1.810.454.0130
>
>
>
> -----Original Message-----
> From: Ubaid Iftikhar (AU) [mailto:mag...@bigpond.net.au]
> Sent: Tuesday, January 05, 2010 3:11 AM
> To: 'Tyson Scott'; 'Partha Palanisamy (psarathi)'; 'imran mohammed';
> 'Cisco
> certification'
> Subject: RE: FPM configuration
>
> I agree with Tyson mask could be 0 but it doesn't work with IOS 12.4
> (15).
>
> match field ip fragment-offset gt 0 ---------> This field is used to
> indicate where current payload fits in with the other parts of
> fragemented
> packets received. First packet will always have this field set to
> zero.
>
> For TCP SYN this is correct (Mask of 0 doesn't seem to work)
>
> match field tcp control bits eq 2 mask 61 OR 0x 3D
>
>
> I was not able to match tcp SYN ACK or just ACK using FPM
>
> Regards,
> Ubaid
>
>
>
> -----Original Message-----
> From: nob...@groupstudy.com [mailto:nob...@groupstudy.com] On Behalf
> Of
> Tyson Scott
> Sent: Tuesday, 5 January 2010 2:33 PM
> To: 'Partha Palanisamy (psarathi)'; 'imran mohammed'; 'Cisco
> certification'
> Subject: RE: FPM configuration
>
> Partha,
>
> Thank you for sharing. Very good information.
>
> I would add the following just as some further explanation.
>
> eq 1 mask 6 doesn't say only bit 3 will be inspected.
>
> it states that bit 3 must be a 1 but I don't care if bit 1 or bit 2
> are a 1
> or 0.
>
> This is fine to do because the bit 1 "reserved bit" is always going
> to be
> zero as it is not implemented. bit 2 "don't fragment" is never
> going to be
> a 1 when bit 3 "more fragment" is set to 1 as the two conflict. But
> the
> more accurate representation would be
>
> eq 1 mask 0
>
> meaning I only want to match the flag field if bit 3 is set to 1.
>
> For the SYN examples, which I think is very well put, just missing
> some
> explanation. If you specifically only wanted to match the packet
> when it is
> set to SYN it would be "eq 2 mask 0". Now if we are wanting to
> match a
> packet anytime the SYN is set to 1 but we also want to match it if
> it is SYN
> ACK then doing "eq 2 mask 0x10" will match if it is SYN, "0x02" or a
> SYN/ACK, "0x12". To be honest if you were to use "eq 2 mask 0x3D"
> for some
> security protection technique it is probably one of the worst things
> you
> could do as this would allow a packet that has the flag combination
> SYN/FIN,
> "0x03" which is a very well known attack, to occur. You should never
> purposely allow that to occur. Unless you are saying if it is "eq 3
> mask 0"
> do not allow this packet.
>
> Regards,
>
> Tyson Scott - CCIE #13513 R&S, Security, and SP
> Technical Instructor - IPexpert, Inc.
> Mailto: tsc...@ipexpert.com
> Telephone: +1.810.326.1444, ext. 208
> Live Assistance, Please visit: www.ipexpert.com/chat
> eFax: +1.810.454.0130
>
>
>
> -----Original Message-----
> From: nob...@groupstudy.com [mailto:nob...@groupstudy.com] On Behalf
> Of
> Partha Palanisamy (psarathi)
> Sent: Monday, January 04, 2010 1:21 PM
> To: imran mohammed; Cisco certification
> Subject: RE: FPM configuration
>
> You can follow below logic for bit checking on fields.
>
> For example TCP flags will look like this:
>
> [urgent|ack|push|reset|syn|finish]
>
> To match say syn bit;
>
> [0|1|0|0|1|0] - 2 , and mask is reverse [1|1|1|1|0|1] - 3D
>
> Will transalte to :
>
> match field tcp control bits eq 2 mask 0C3D
>
> In your case:
>
> `more fragmentsb bit is the third bit of the flags field so the match
> statement specifies `eq 1 mask 6b2.
> A mask bit specified as `1b2 is a donbt-care so a mask of binary
> `110b2
> (decimal 6) will ensure that bit 3 is the only bit inspected
>
> Thanks
> Partha
>
>
>
> -----Original Message-----
> From: nob...@groupstudy.com [mailto:nob...@groupstudy.com] On Behalf
> Of
> imran mohammed
> Sent: Monday, January 04, 2010 5:17 AM
> To: Cisco certification
> Subject: FPM configuration
>
> Hi All,
>
>
> I was going through the FPM deployment guide.
>
> There are few parts of the document where iam not clear
>
> In the fragmented UPD packet section
>
> rtr(config-cmap)# match field ip flags *eq 1 mask 6*
>
> In the above statement it refers to the *flags* in the ip header But
> what
> does it mean when it says *eq 1 mask 6*. As per the document 1 is
> dont care
> so we make the first 6 bits out of 8 as 1 which we dont care and the
> last 2
> bits are considered, is that it want to say?
>
>
> rtr(config-cmap)# match field ip fragment-offset gt 0
>
> This statement says that start from 0 in the fragment-offset of the IP
> header, is that correct?
>
> In the second case where if you not loading the PHDF file
>
> rtr(config-cmap)# match start l3-start offset 9 size 1 eq 17
>
> This says that start from the ip header then move to 9th byte which
> points
> to the next protocol that is UDP.I am clear with this but if I have
> to point
> something else In the Ip header like TTL then I dont know at which
> byte I
> should move is there any reference for this like showing every bit
> and byte
> of the packet.
>
> Again in this staement he is trying to match more frgment bit
> rtr(config-cmap)# match start l3-start offset 6 size 1 eq 32 mask 0xDF
>
> Iam clear with state ment except this part *eq 32 mask 0xDF *I
> understand
> 0xDF is for masking where all 1 are dont care and 0 care bit which
> is the
> 3 bit in this case but i didnt understand the purpose of eq 32.*
>
> *I guess iam lagging some where. it would be graet if some one can
> explain
> or atleast give some reference where I can get the basics to
> understand this
> concept.Iam clear with FPM but not with the bits and masking.
> *
> Regards
> Imran
> *
>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
