Hi Tyson Thanks for spending your time on this. The regex and string option matches directly on the ASCII value right?
But ..8-KH doesn't look like an ACSII value. Please clarify. I am trying to match 0013.8084.ac40 and the corresponding value in the wireshark was ".....A". Tried applying to both control plane and interface but doesn't work. Should be some IOS problem. class-map type access-control match-any fpmac match field ETHER source-mac string ".. .E.." match field ETHER dest-mac string ".....A" match field ETHER dest-mac string "\.\.\.\.\.A" match field ETHER dest-mac regex "\.\.\.\.\.A" class-map type stack match-all fpm stack-start l2-start match field ETHER type eq 0x800 next ETHER ! ! policy-map type access-control fpmac class fpmac drop policy-map type access-control fpm class fpm service-policy fpmac With regards Kings On Thu, Nov 18, 2010 at 12:19 AM, Tyson Scott <[email protected]> wrote: > Sorry there is an error in the output. It should show > > Match: field ETHER source-mac regex "\.\.8-KH" > > > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* Tyson Scott [mailto:[email protected]] > *Sent:* Wednesday, November 17, 2010 1:42 PM > *To:* 'Tyson Scott'; 'Kingsley Charles' > > *Cc:* '[email protected]' > *Subject:* RE: [OSL | CCIE_Security] mac address in fpm > > > > OK, > > > > I decided to mess with this a little more and I think I have it working > now. Here is how I configured it. > > > > R5(config-cmap)#do sh policy-map type access int f0/0 > > FastEthernet0/0 > > > > Service-policy access-control input: FPM > > > > Class-map: IP-TYPE (match-all) > > 1343 packets, 106470 bytes > > 5 minute offered rate 0 bps > > Match: field ETHER type eq 0x800 next ETHER > > > > Service-policy access-control : TOP > > > > Class-map: MAC-ADD (match-all) > > 119 packets, 9642 bytes > > 5 minute offered rate 0 bps > > Match: field ETHER source-mac regex "\.\.-KH" > > log > > > > Class-map: class-default (match-any) > > 1224 packets, 96828 bytes > > 5 minute offered rate 0 bps, drop rate 0 bps > > Match: any > > > > Class-map: class-default (match-any) > > 0 packets, 0 bytes > > 5 minute offered rate 0 bps, drop rate 0 bps > > Match: any > > R5(config-cmap)# > > > > That string is derived from > > 49D6E260: 000AB819 C8F0000A B82DCB48 ..8.Hp..8-KH > > 49D6E270: 08004500 00640086 0000FE01 FCA4C001 ..E..d....~.|$...@. > > 49D6E280: 3907C001 06640800 9A72001A 00040000 [email protected]...... > > 49D6E290: 00000A69 D950ABCD ABCDABCD ABCDABCD ...iYP+M+M+M+M+M > > 49D6E2A0: ABCDABCD ABCDABCD 00 +M+M+M+M. > > > > R5(config-cmap)# > > Nov 17 18:34:36.774: %SEC-6-IPACCESSLOGDP: list MAC-ADD permitted icmp > 192.1.57.7 (FastEthernet0/0 ) -> 192.1.57.5 (8/0), 20 packets > > R5(config-cmap)# > > Nov 17 18:36:36.775: %SEC-6-IPACCESSLOGRP: list MAC-ADD permitted eigrp > 192.1.57.7 (FastEthernet0/0 ) -> 224.0.0.10, 132 packets > > R5(config-cmap)# > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* Tyson Scott [mailto:[email protected]] > *Sent:* Wednesday, November 17, 2010 1:04 PM > *To:* 'Kingsley Charles' > *Cc:* '[email protected]' > *Subject:* RE: [OSL | CCIE_Security] mac address in fpm > > > > Kingley, > > > > Periods are shown for display purposes for your help but a period is not > included in the packet. I don't think FPM works for matching MAC's > > > > I did a packet capture just to make sure I am not doing something wrong > > 49D6E260: 000AB819 C8F0000A B82DCB48 ..8.Hp..8-KH > > 49D6E270: 08004500 00640086 0000FE01 FCA4C001 ..E..d....~.|$...@. > > 49D6E280: 3907C001 06640800 9A72001A 00040000 [email protected]...... > > 49D6E290: 00000A69 D950ABCD ABCDABCD ABCDABCD ...iYP+M+M+M+M+M > > 49D6E2A0: ABCDABCD ABCDABCD 00 +M+M+M+M. > > > > I highlighted the source mac in the packet capture above. > > > > That is the output of the packet capture. I attempted the several ways > just as you did. > > > > class-map type access-control match-all MAC-ADD > > match start l2-start offset 6 size 6 regex "000ab82dcb48" > > class-map type stack match-all IP-TYPE > > stack-start l2-start > > match field ETHER type eq 0x800 next ETHER > > policy-map type access-control TOP > > class MAC-ADD > > log > > policy-map type access-control FPM > > class IP-TYPE > > service-policy TOP > > ! > > interface FastEthernet0/0 > > ip address 192.1.57.5 255.255.255.0 > > service-policy type access-control input FPM > > > > I know for sure that the field is 000ab82dcb48 or 000AB82DCB48 and that it > is 6 bytes offset and 6 bytes in length. I tried 48 and 48 to see if it was > bits but I am pretty sure offset and size are in bytes. > > > > No luck for me either on this one. > > > > previously I had tried > > class-map type access-control match-all MAC-ADD > > match field ETHER src-mac regex "000ab82dcb48" > > > > One of the two of the above should have worked. I am able to match IP > traffic. But not any MAC information > > > > R5(config-if)#do sh policy-map type acc int f0/0 > > FastEthernet0/0 > > > > Service-policy access-control input: FPM > > > > Class-map: IP-TYPE (match-all) > > 935 packets, 73606 bytes > > 5 minute offered rate 0 bps > > Match: field ETHER type eq 0x800 next ETHER > > > > Service-policy access-control : TOP > > > > Class-map: MAC-ADD (match-all) > > 0 packets, 0 bytes > > 5 minute offered rate 0 bps > > Match: start l2-start offset 6 size 6 regex "000ab82dcb48" > > log > > > > Class-map: class-default (match-any) > > 935 packets, 73606 bytes > > 5 minute offered rate 0 bps, drop rate 0 bps > > Match: any > > > > Class-map: class-default (match-any) > > 0 packets, 0 bytes > > 5 minute offered rate 0 bps, drop rate 0 bps > > Match: any > > R5(config-if)# > > > > These also didn't work > > match start l2 offset 6 size 6 regex "000AB82DCB48" > > match field ETHER source-mac regex "000AB82DCB48" > > > > I also did attempts > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* Wednesday, November 17, 2010 5:11 AM > > *To:* Tyson Scott > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] mac address in fpm > > > > Hi Tyson > > In the wireshark, I see 00:13:80:84:ac:40 format in the headers section and > in 00 13 80 84 ac 40 raw hex format at the bottom. > Tried all the three as following but doesn't work. > > class-map type access-control match-any fpmac > match field ETHER dest-mac string "00 13 80 84 ac 40" > match field ETHER dest-mac string "00:13:80:84:ac:40" > match field ETHER dest-mac string "00138084ac40" > class-map type stack match-all fpm > stack-start l2-start > match field ETHER type eq 0x800 next ETHER > > policy-map type access-control fpmac > class fpmac > drop > policy-map type access-control fpm > class fpm > service-policy fpmac > > control-plane > service-policy type access-control input fpm > > With regards > Kings > > On Wed, Nov 17, 2010 at 1:15 PM, Tyson Scott <[email protected]> wrote: > > In Wireshark it displays no characters. > > > > Try something like this > > > > class-map type stack match-all ETHER > > stack-start l2-start > > match field ETHER type eq 0x800 next ETHER > > class-map type access-control match-all DEST-MAC > > match field ETHER dest-mac string "0024d64963da" > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* Wednesday, November 17, 2010 2:19 AM > *To:* Tyson Scott > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] mac address in fpm > > > > Tried the following too. The IOS accepts it but doesn't show in the running > config > > match field eTHER dest-mac string "00.13.80.84.ac.40" > match field eTHER dest-mac string "00 13 80 84 ac 40" > match field eTHER dest-mac regex .*00.13.80.84.ac.40.* > > > With regards > Kings > > On Wed, Nov 17, 2010 at 12:34 PM, Kingsley Charles < > [email protected]> wrote: > > Tyson, the wireshark uses 00.13.80.84.ac.40 format but that doesn't work > too. > > > > router(config-cmap)#match field eTHER dest-mac eq ? > <0-65535> Value to be Matched > > I tried entering mac addressing but it gives the following error > > router(config-cmap)#match field eTHER dest-mac eq 0x00138084ac40 > ^ > For Ethertype, the IOS accepts the hex as well as decimal value > > router(config-cmap)#match field ethER type eq 0x0806 next eTHER > router(config-cmap)#match field ethER type eq 2054 next ethER > > For IP address, the IOS accepts both dotted address format and it's decimal > value > > router1(config-cmap)#match field ip dest-addr eq ? > <0-4294967295> Value to be Matched > A.B.C.D IP Address > > > router(config-cmap)#match field ip dest-addr eq 10.20.30.40 next IP > router(config-cmap)#match field ip dest-addr eq 169090600 next IP > > With mac address, seems there is some issue > > > router1(config-cmap)#match field eTHER dest-mac eq ? > > > <0-65535> Value to be Matched > > Trying for mac 0013.8084.ac40 > > router1(config-cmap)#match field eTHER dest-mac eq 0x00.13.80.84.ac.40 ? > % Unrecognized command > > router1(config-cmap)#match field eTHER dest-mac eq 0x0013.8084.ac40 ? > % Unrecognized command > > router1(config-cmap)#match field eTHER dest-mac eq 0x00138084ac40 ? > % Unrecognized command > > router1(config-cmap)#match field eTHER dest-mac eq 00.13.80.84.ac.40 ? > % Unrecognized command > > router1(config-cmap)#match field eTHER dest-mac eq 0013.8084.ac40 ? > % Unrecognized command > > router1(config-cmap)#match field eTHER dest-mac eq 00138084ac40 ? > % Unrecognized command > > Hence the only option is to use decimal but the max allowed limit is 65535 > but the decimal value for 0013.8084.ac40 is 83760557120 which is more > 655535. > > > router1(config-cmap)#match field eTHER dest-mac eq 83760557120 ? > % Unrecognized command > > > > With regards > Kings > > > > On Wed, Nov 17, 2010 at 2:52 AM, Tyson Scott <[email protected]> wrote: > > Look at the output of a wireshark capture. enter as it shows in there. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Tuesday, November 16, 2010 2:42 AM > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] mac address in fpm > > > > Hi all > > I am trying to match a mac address. The IOS doesn't accept dotted mac > address as such. > > router(config)#class-map type stack match-all fpm > router(config-cmap)#match field eTHER dest-mac eq ? > <0-65535> Value to be Matched > > Should I convert the mac to decimal? > > Even that doesn't work. > > Any thoughts? > > > > With regards > Kings > > > > > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
