Re: [OSL | CCIE_Security] mac address in fpm

[Tyson Scott]

Kingley,

 

Periods are shown for display purposes for your help but a period is not
included in the packet.  I don't think FPM works for matching MAC's

 

I did a packet capture just to make sure I am not doing something wrong

49D6E260:          000AB819 C8F0000A B82DCB48      ..8.Hp..8-KH

49D6E270: 08004500 00640086 0000FE01 FCA4C001  ..E..d....~.|$...@.

49D6E280: 3907C001 06640800 9A72001A 00040000  9...@..d...r......

49D6E290: 00000A69 D950ABCD ABCDABCD ABCDABCD  ...iYP+M+M+M+M+M

49D6E2A0: ABCDABCD ABCDABCD 00                 +M+M+M+M.

 

I highlighted the source mac in the packet capture above.

 

That is the output of the packet capture.  I attempted the several ways just
as you did. 

 

class-map type access-control match-all MAC-ADD

match start l2-start offset 6 size 6 regex "000ab82dcb48"

class-map type stack match-all IP-TYPE

stack-start l2-start

match field ETHER type eq 0x800 next ETHER

policy-map type access-control TOP

class MAC-ADD

   log

policy-map type access-control FPM

class IP-TYPE

  service-policy TOP

!

interface FastEthernet0/0

ip address 192.1.57.5 255.255.255.0

service-policy type access-control input FPM

 

I know for sure that the field is 000ab82dcb48 or 000AB82DCB48 and that it
is 6 bytes offset and 6 bytes in length.  I tried 48 and 48 to see if it was
bits but I am pretty sure offset and size are in bytes.

 

No luck for me either on this one.

 

previously I had tried

class-map type access-control match-all MAC-ADD

match field ETHER src-mac regex "000ab82dcb48"

 

One of the two of the above should have worked.  I am able to match IP
traffic.  But not any MAC information

 

R5(config-if)#do sh policy-map type acc int f0/0

FastEthernet0/0 

 

  Service-policy access-control input: FPM

 

    Class-map: IP-TYPE (match-all)

      935 packets, 73606 bytes

      5 minute offered rate 0 bps

      Match: field ETHER type eq 0x800 next ETHER

 

      Service-policy access-control : TOP

 

        Class-map: MAC-ADD (match-all)

          0 packets, 0 bytes

          5 minute offered rate 0 bps

          Match: start l2-start offset 6 size 6 regex "000ab82dcb48"

      log

 

        Class-map: class-default (match-any)

          935 packets, 73606 bytes

          5 minute offered rate 0 bps, drop rate 0 bps

          Match: any 

 

    Class-map: class-default (match-any)

      0 packets, 0 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: any 

R5(config-if)#

 

These also didn't work

match start l2 offset 6 size 6 regex "000AB82DCB48"

match field ETHER source-mac regex "000AB82DCB48"

 

I also did attempts

 

Regards,

 

Tyson Scott - CCIE #13513 R&S, Security, and SP

Managing Partner / Sr. Instructor - IPexpert, Inc.

Mailto:  <mailto:tsc...@ipexpert.com> tsc...@ipexpert.com

Telephone: +1.810.326.1444, ext. 208

Live Assistance, Please visit:  <http://www.ipexpert.com/chat>
www.ipexpert.com/chat

eFax: +1.810.454.0130

 

IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
CCIE (R&S, Voice, Security & Service Provider) certification(s) with
training locations throughout the United States, Europe, South Asia and
Australia. Be sure to visit our online communities at
<http://www.ipexpert.com/communities> www.ipexpert.com/communities and our
public website at  <http://www.ipexpert.com/> www.ipexpert.com

 

From: Kingsley Charles [mailto:kingsley.char...@gmail.com] 
Sent: Wednesday, November 17, 2010 5:11 AM
To: Tyson Scott
Cc: ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] mac address in fpm

 

Hi Tyson

In the wireshark, I see 00:13:80:84:ac:40 format in the headers section and
in 00 13 80 84 ac 40 raw hex format at the bottom.
Tried all the three as following but doesn't work.

class-map type access-control match-any fpmac
 match field ETHER dest-mac string "00 13 80 84 ac 40"
 match field ETHER dest-mac string "00:13:80:84:ac:40"
 match field ETHER dest-mac string "00138084ac40"
class-map type stack match-all fpm
 stack-start l2-start
 match field ETHER type eq 0x800 next ETHER

policy-map type access-control fpmac
 class fpmac
   drop
policy-map type access-control fpm
 class fpm
  service-policy fpmac

control-plane
 service-policy type access-control input fpm

With regards
Kings

On Wed, Nov 17, 2010 at 1:15 PM, Tyson Scott <tsc...@ipexpert.com> wrote:

In Wireshark it displays no characters.

 

Try something like this

 

class-map type stack match-all ETHER

stack-start l2-start

match field ETHER type eq 0x800 next ETHER

class-map type access-control match-all DEST-MAC

match field ETHER dest-mac string "0024d64963da"

 

Regards,

 

Tyson Scott - CCIE #13513 R&S, Security, and SP

Managing Partner / Sr. Instructor - IPexpert, Inc.

Mailto: tsc...@ipexpert.com

Telephone: +1.810.326.1444, ext. 208

Live Assistance, Please visit: www.ipexpert.com/chat

eFax: +1.810.454.0130

 

IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
CCIE (R&S, Voice, Security & Service Provider) certification(s) with
training locations throughout the United States, Europe, South Asia and
Australia. Be sure to visit our online communities at
www.ipexpert.com/communities and our public website at www.ipexpert.com
<http://www.ipexpert.com/> 

 

From: Kingsley Charles [mailto:kingsley.char...@gmail.com] 
Sent: Wednesday, November 17, 2010 2:19 AM
To: Tyson Scott
Cc: ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] mac address in fpm

 

Tried the following too. The IOS accepts it but doesn't show in the running
config

match field eTHER dest-mac string "00.13.80.84.ac.40"
match field eTHER dest-mac string "00 13 80 84 ac 40"
match field eTHER dest-mac regex .*00.13.80.84.ac.40.*


With regards
Kings

On Wed, Nov 17, 2010 at 12:34 PM, Kingsley Charles
<kingsley.char...@gmail.com> wrote:

Tyson, the wireshark uses 00.13.80.84.ac.40 format but that doesn't work
too.



router(config-cmap)#match field eTHER dest-mac eq ?
  <0-65535>  Value to be Matched

I tried entering mac addressing but it gives the following error

router(config-cmap)#match field eTHER dest-mac eq 0x00138084ac40
                                                           ^
For Ethertype, the IOS accepts the hex as well as decimal value

router(config-cmap)#match field ethER type eq 0x0806 next eTHER
router(config-cmap)#match field ethER type eq 2054 next ethER

For IP address, the IOS accepts both dotted address format and it's decimal
value

router1(config-cmap)#match field ip dest-addr eq ?
  <0-4294967295>  Value to be Matched
  A.B.C.D         IP Address


router(config-cmap)#match field ip dest-addr eq 10.20.30.40 next IP
router(config-cmap)#match field ip dest-addr eq 169090600 next IP

With mac address, seems there is some issue


router1(config-cmap)#match field eTHER dest-mac eq ?


  <0-65535>  Value to be Matched

Trying for mac 0013.8084.ac40

router1(config-cmap)#match field eTHER dest-mac eq 0x00.13.80.84.ac.40 ?
% Unrecognized command

router1(config-cmap)#match field eTHER dest-mac eq 0x0013.8084.ac40 ?
% Unrecognized command

router1(config-cmap)#match field eTHER dest-mac eq 0x00138084ac40 ?
% Unrecognized command

router1(config-cmap)#match field eTHER dest-mac eq 00.13.80.84.ac.40 ?
% Unrecognized command

router1(config-cmap)#match field eTHER dest-mac eq 0013.8084.ac40 ?
% Unrecognized command

router1(config-cmap)#match field eTHER dest-mac eq 00138084ac40 ?
% Unrecognized command

Hence the only option is to use decimal but the max allowed limit is 65535
but the decimal value for 0013.8084.ac40 is 83760557120 which is more
655535.


router1(config-cmap)#match field eTHER dest-mac eq 83760557120 ?
% Unrecognized command



With regards
Kings

 

On Wed, Nov 17, 2010 at 2:52 AM, Tyson Scott <tsc...@ipexpert.com> wrote:

Look at the output of a wireshark capture.  enter as it shows in there.

 

Regards,

 

Tyson Scott - CCIE #13513 R&S, Security, and SP

Managing Partner / Sr. Instructor - IPexpert, Inc.

Mailto: tsc...@ipexpert.com

Telephone: +1.810.326.1444, ext. 208

Live Assistance, Please visit: www.ipexpert.com/chat

eFax: +1.810.454.0130

 

IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
CCIE (R&S, Voice, Security & Service Provider) certification(s) with
training locations throughout the United States, Europe, South Asia and
Australia. Be sure to visit our online communities at
www.ipexpert.com/communities and our public website at www.ipexpert.com
<http://www.ipexpert.com/> 

 

From: ccie_security-boun...@onlinestudylist.com
[mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Kingsley
Charles
Sent: Tuesday, November 16, 2010 2:42 AM
To: ccie_security@onlinestudylist.com
Subject: [OSL | CCIE_Security] mac address in fpm

 

Hi all

I am trying to match a mac address. The IOS doesn't accept dotted mac
address as such. 

router(config)#class-map type stack match-all fpm
router(config-cmap)#match field eTHER dest-mac eq ?
  <0-65535>  Value to be Matched

Should I convert the mac to decimal?

Even that doesn't work.

Any thoughts?



With regards
Kings

 

 

 


_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com