if you are matching anything other than Layer 3 then you must use a stack class-map.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Vybhav Ramachandran Sent: Tuesday, November 23, 2010 10:02 AM To: Kingsley Charles; OSL Security Subject: Re: [OSL | CCIE_Security] FPM doubt Hello Kings, I was thinking that we could define fields in the access-control class-map directly ( without using the stack-control class ). However after going through some docs, i understand that once the PHDF's are loaded, it is a must to create a base STACK class before using the access-control stack. Here's my config and it works now class-map type stack match-all stack match field layer 1 IP protocol eq 6 next TCP exit class-map type access-control match-all access match field TCP dest-port eq 23 exit policy-map type access-control access class access drop exit policy-map type access-control stack class stack service-policy access exit int fa 0/0 service-policy type access-control input stack I think in my previous config, the FPM engine was looking into some other field and hence the confusion. Thanks, TacACK
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
