Well, not sure what it means but I lab here and no OSPF packets got dropped
so far
policy-map type inspect outside-self
class type inspect outside-self
inspect
class type inspect ospf
pass
class-map type inspect match-all ospf
match access-group 102
class-map type inspect match-all outside-self
match protocol tcp
match protocol udp
match protocol icmp
access-l 102 permit ospf any any
Neither any packets hit the ACLs
Rack1R3(config)#do sh policy-map ty ins zone outside-self
Zone-pair: outside-self
Service-policy inspect : outside-self
Class-map: outside-self (match-all)
Match: protocol tcp
Match: protocol udp
Match: protocol icmp
Inspect
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created never
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 0
Last half-open session total 0
*Class-map: ospf (match-all)
Match: access-group 102
Pass
0 packets, 0 bytes*
Class-map: class-default (match-any)
Match: any
Drop (default action)
5 packets, 400 bytes
Any idea why it did not hit on ACLs. That wou
On Tue, Mar 1, 2011 at 11:26 AM, Bruno <[email protected]> wrote:
> More info about this
> Tried to create a PAM and that`s the message I get
> %Unable to add port-map entry.
> TCP or UDP protocol must be specified for user-defined applications
>
>
> On Tue, Mar 1, 2011 at 11:24 AM, Bruno <[email protected]> wrote:
>
>> I don't think your suggestion would work King.
>> I think when you go under policy-map to attach a class-map you must have
>> configured at least 1 INSPECT. A class-map with no inspect statement, when
>> attached under policy-map generates this:
>> %No specific protocol configured in class test for inspection. All
>> protocols will be inspected
>>
>> I don't know the answer for the question but would shoot that is not
>> possible as King said
>>
>>
>> On Tue, Mar 1, 2011 at 9:43 AM, Kingsley Charles <
>> [email protected]> wrote:
>>
>>> BGP and RIP which uses TCP and UDP can be inspected. But not sure, if
>>> OSPF and EIGRP which are directly encapsulated in IP can be inspected using
>>> their protocol numbers.
>>>
>>> You can configure access-list for ospf/eigrp and associate to the class
>>> map for testing it.
>>>
>>> With regards
>>> Kings
>>>
>>> On Tue, Mar 1, 2011 at 10:42 AM, Richard Chan <[email protected]>wrote:
>>>
>>>>
>>>> Hi,
>>>>
>>>> What is the best practice for allowing IGP traffic
>>>> when self zones are configured in both directions?
>>>>
>>>> 1. Say you have self-Outside zone and Outside-self zone configured.
>>>>
>>>> 2. For IGPs like OSPF/RIP/EIGRP would you add a PASS action class
>>>> to both zone-pairs? Or do you "inspect" one of them. I don't think of
>>>> IGP peerings as "sessions" in the UDP/TCP sense.
>>>>
>>>>
>>>> !---
>>>> policy-map type inspect XXX-out-self
>>>> class IGP
>>>> pass
>>>> !--- apply to Outside-self zone-pair
>>>> !---
>>>> policy-map type inspect XXX-self-out
>>>> class IGP
>>>> pass
>>>> !--- apply to self-Outside zone-pair
>>>>
>>>>
>>>> _______________________________________________
>>>> For more information regarding industry leading CCIE Lab training,
>>>> please visit www.ipexpert.com
>>>>
>>>>
>>>
>>> _______________________________________________
>>> For more information regarding industry leading CCIE Lab training, please
>>> visit www.ipexpert.com
>>>
>>>
>>
>>
>> --
>> Bruno Fagioli (by Jaunty Jackalope)
>> Cisco Security Professional
>>
>
>
>
> --
> Bruno Fagioli (by Jaunty Jackalope)
> Cisco Security Professional
>
--
Bruno Fagioli (by Jaunty Jackalope)
Cisco Security Professional
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
