Ubaid,
I was able to get this working in 12.4(24)T2 and 12.4(15)T9. I will state that most likely they are using 12.4(15)T in the lab right now. Ubaid did you use the same configuration as I am showing below? R7(config-if)# Jan 5 19:54:12.286: %SEC-6-IPACCESSLOGP: list TCP_FLAGS permitted tcp 192.1.57.5(46747) (FastEthernet0/0 ) -> 7.7.7.7(23), 1 packet R7(config-if)#end R7#show policy-map type access-control interface Fa0/0 FastEthernet0/0 Service-policy access-control input: FPM Class-map: TCP (match-all) 10 packets, 609 bytes 5 minute offered rate 0 bps Match: field IP protocol eq 0x6 next TCP Service-policy access-control : SYN-ACK Class-map: TCP_FLAGS (match-all) 1 packets, 60 bytes 5 minute offered rate 0 bps Match: field TCP control-bits eq 2 log Class-map: class-default (match-any) 9 packets, 549 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Class-map: class-default (match-any) 11 packets, 850 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any R7# I then did a slight modification and was able to accomplish this same thing with the mask for the SYN-ACK R7(config-if)# Jan 5 20:06:46.116: %SEC-6-IPACCESSLOGP: list TCP_SYN_ACK permitted tcp 5.5.5.5(23) (FastEthernet0/0 ) -> 192.1.201.16(61530), 1 packet R7(config-if)#end R7#show policy-map type access-control int f0/0 FastEthernet0/0 Service-policy access-control input: FPM Class-map: TCP (match-all) 6 packets, 397 bytes 5 minute offered rate 0 bps Match: field IP protocol eq 0x6 next TCP Service-policy access-control : SYN-ACK Class-map: TCP_FLAGS (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps Match: field TCP control-bits eq 2 log Class-map: TCP_SYN_ACK (match-all) 1 packets, 60 bytes 5 minute offered rate 0 bps Match: field TCP control-bits eq 2 mask 0x10 log Class-map: class-default (match-any) 5 packets, 337 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Class-map: class-default (match-any) 5 packets, 370 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any R7# I then applied this same configuration to a router running 12.4(15)T9 worked like a charm R8# *Jan 5 21:09:28.223: %SYS-5-CONFIG_I: Configured from console by console R8# *Jan 5 21:09:36.931: %SEC-6-IPACCESSLOGP: list TCP_FLAGS permitted tcp 192.1.68.6(11180) (FastEthernet0/1 ) -> 8.8.8.8(23), 1 packet R8#telnet 6.6.6.6 Trying 6.6.6.6 ... Open Password required, but none set *Jan 5 21:09:57.487: %SEC-6-IPACCESSLOGP: list TCP_SYN_ACK permitted tcp 6.6.6.6(23) (FastEthernet0/1 ) -> 192.1.68.8(32691), 1 packet [Connection to 6.6.6.6 closed by foreign host] R8# R8#show policy-map type access-control int f0/1 FastEthernet0/1 Service-policy access-control input: FPM Class-map: TCP (match-all) 22 packets, 1366 bytes 5 minute offered rate 0 bps Match: field IP protocol eq 0x6 next TCP Service-policy access-control : SYN-ACK Class-map: TCP_FLAGS (match-all) 1 packets, 60 bytes 5 minute offered rate 0 bps Match: field TCP control-bits eq 2 log Class-map: TCP_SYN_ACK (match-all) 1 packets, 60 bytes 5 minute offered rate 0 bps Match: field TCP control-bits eq 2 mask 0x10 log Class-map: class-default (match-any) 20 packets, 1246 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Class-map: class-default (match-any) 8 packets, 752 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any R8# Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: tsc...@ipexpert.com Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 -----Original Message----- From: Ubaid Iftikhar [mailto:mag...@bigpond.net.au] Sent: Tuesday, January 05, 2010 9:28 AM To: Tyson Scott Cc: Partha Palanisamy (psarathi); imran mohammed; Cisco certification Subject: Re: FPM configuration What you said was 200% right there might be some bug here. I don't think it is a security since we are using it just to match traffic.I would like to see more examples of FPM with bit matching to help clear my own concepts. Matching sync-ack or just ack didn't work for me at all. Regards, Ubaid Iftikhar Sent from my iPhone On 06/01/2010, at 1:07 AM, "Tyson Scott" <tsc...@ipexpert.com> wrote: > Ubaid, > > I will test because what I stated is based off of the actual > binary. I > didn't test this. If you have to have the masks as shown by Partha > for the > feature then that kind of sucks that it is lacking understanding. I > will > test with 12.4(24)T2 and get back with you guys on this one too. > > Regards, > > Tyson Scott - CCIE #13513 R&S, Security, and SP > Technical Instructor - IPexpert, Inc. > Mailto: tsc...@ipexpert.com > Telephone: +1.810.326.1444, ext. 208 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > > > -----Original Message----- > From: Ubaid Iftikhar (AU) [mailto:mag...@bigpond.net.au] > Sent: Tuesday, January 05, 2010 3:11 AM > To: 'Tyson Scott'; 'Partha Palanisamy (psarathi)'; 'imran mohammed'; > 'Cisco > certification' > Subject: RE: FPM configuration > > I agree with Tyson mask could be 0 but it doesn't work with IOS 12.4 > (15). > > match field ip fragment-offset gt 0 ---------> This field is used to > indicate where current payload fits in with the other parts of > fragemented > packets received. First packet will always have this field set to > zero. > > For TCP SYN this is correct (Mask of 0 doesn't seem to work) > > match field tcp control bits eq 2 mask 61 OR 0x 3D > > > I was not able to match tcp SYN ACK or just ACK using FPM > > Regards, > Ubaid > > > > -----Original Message----- > From: nob...@groupstudy.com [mailto:nob...@groupstudy.com] On Behalf > Of > Tyson Scott > Sent: Tuesday, 5 January 2010 2:33 PM > To: 'Partha Palanisamy (psarathi)'; 'imran mohammed'; 'Cisco > certification' > Subject: RE: FPM configuration > > Partha, > > Thank you for sharing. Very good information. > > I would add the following just as some further explanation. > > eq 1 mask 6 doesn't say only bit 3 will be inspected. > > it states that bit 3 must be a 1 but I don't care if bit 1 or bit 2 > are a 1 > or 0. > > This is fine to do because the bit 1 "reserved bit" is always going > to be > zero as it is not implemented. bit 2 "don't fragment" is never > going to be > a 1 when bit 3 "more fragment" is set to 1 as the two conflict. But > the > more accurate representation would be > > eq 1 mask 0 > > meaning I only want to match the flag field if bit 3 is set to 1. > > For the SYN examples, which I think is very well put, just missing > some > explanation. If you specifically only wanted to match the packet > when it is > set to SYN it would be "eq 2 mask 0". Now if we are wanting to > match a > packet anytime the SYN is set to 1 but we also want to match it if > it is SYN > ACK then doing "eq 2 mask 0x10" will match if it is SYN, "0x02" or a > SYN/ACK, "0x12". To be honest if you were to use "eq 2 mask 0x3D" > for some > security protection technique it is probably one of the worst things > you > could do as this would allow a packet that has the flag combination > SYN/FIN, > "0x03" which is a very well known attack, to occur. You should never > purposely allow that to occur. Unless you are saying if it is "eq 3 > mask 0" > do not allow this packet. > > Regards, > > Tyson Scott - CCIE #13513 R&S, Security, and SP > Technical Instructor - IPexpert, Inc. > Mailto: tsc...@ipexpert.com > Telephone: +1.810.326.1444, ext. 208 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > > > -----Original Message----- > From: nob...@groupstudy.com [mailto:nob...@groupstudy.com] On Behalf > Of > Partha Palanisamy (psarathi) > Sent: Monday, January 04, 2010 1:21 PM > To: imran mohammed; Cisco certification > Subject: RE: FPM configuration > > You can follow below logic for bit checking on fields. > > For example TCP flags will look like this: > > [urgent|ack|push|reset|syn|finish] > > To match say syn bit; > > [0|1|0|0|1|0] - 2 , and mask is reverse [1|1|1|1|0|1] - 3D > > Will transalte to : > > match field tcp control bits eq 2 mask 0C3D > > In your case: > > `more fragmentsb bit is the third bit of the flags field so the match > statement specifies `eq 1 mask 6b2. > A mask bit specified as `1b2 is a donbt-care so a mask of binary > `110b2 > (decimal 6) will ensure that bit 3 is the only bit inspected > > Thanks > Partha > > > > -----Original Message----- > From: nob...@groupstudy.com [mailto:nob...@groupstudy.com] On Behalf > Of > imran mohammed > Sent: Monday, January 04, 2010 5:17 AM > To: Cisco certification > Subject: FPM configuration > > Hi All, > > > I was going through the FPM deployment guide. > > There are few parts of the document where iam not clear > > In the fragmented UPD packet section > > rtr(config-cmap)# match field ip flags *eq 1 mask 6* > > In the above statement it refers to the *flags* in the ip header But > what > does it mean when it says *eq 1 mask 6*. As per the document 1 is > dont care > so we make the first 6 bits out of 8 as 1 which we dont care and the > last 2 > bits are considered, is that it want to say? > > > rtr(config-cmap)# match field ip fragment-offset gt 0 > > This statement says that start from 0 in the fragment-offset of the IP > header, is that correct? > > In the second case where if you not loading the PHDF file > > rtr(config-cmap)# match start l3-start offset 9 size 1 eq 17 > > This says that start from the ip header then move to 9th byte which > points > to the next protocol that is UDP.I am clear with this but if I have > to point > something else In the Ip header like TTL then I dont know at which > byte I > should move is there any reference for this like showing every bit > and byte > of the packet. > > Again in this staement he is trying to match more frgment bit > rtr(config-cmap)# match start l3-start offset 6 size 1 eq 32 mask 0xDF > > Iam clear with state ment except this part *eq 32 mask 0xDF *I > understand > 0xDF is for masking where all 1 are dont care and 0 care bit which > is the > 3 bit in this case but i didnt understand the purpose of eq 32.* > > *I guess iam lagging some where. it would be graet if some one can > explain > or atleast give some reference where I can get the basics to > understand this > concept.Iam clear with FPM but not with the bits and masking. > * > Regards > Imran > * > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com