Is the hit counter for the ospf acl incrementing?
With regards Kings On Tue, Mar 1, 2011 at 8:23 PM, Bruno <[email protected]> wrote: > Well, not sure what it means but I lab here and no OSPF packets got dropped > so far > > policy-map type inspect outside-self > class type inspect outside-self > inspect > class type inspect ospf > pass > > class-map type inspect match-all ospf > match access-group 102 > class-map type inspect match-all outside-self > match protocol tcp > match protocol udp > match protocol icmp > > access-l 102 permit ospf any any > > Neither any packets hit the ACLs > > Rack1R3(config)#do sh policy-map ty ins zone outside-self > Zone-pair: outside-self > > Service-policy inspect : outside-self > > Class-map: outside-self (match-all) > Match: protocol tcp > Match: protocol udp > Match: protocol icmp > Inspect > Session creations since subsystem startup or last reset 0 > Current session counts (estab/half-open/terminating) [0:0:0] > Maxever session counts (estab/half-open/terminating) [0:0:0] > Last session created never > Last statistic reset never > Last session creation rate 0 > Maxever session creation rate 0 > Last half-open session total 0 > > *Class-map: ospf (match-all) > Match: access-group 102 > Pass > 0 packets, 0 bytes* > > Class-map: class-default (match-any) > Match: any > Drop (default action) > 5 packets, 400 bytes > > Any idea why it did not hit on ACLs. That wou > > > On Tue, Mar 1, 2011 at 11:26 AM, Bruno <[email protected]> wrote: > >> More info about this >> Tried to create a PAM and that`s the message I get >> %Unable to add port-map entry. >> TCP or UDP protocol must be specified for user-defined applications >> >> >> On Tue, Mar 1, 2011 at 11:24 AM, Bruno <[email protected]> wrote: >> >>> I don't think your suggestion would work King. >>> I think when you go under policy-map to attach a class-map you must have >>> configured at least 1 INSPECT. A class-map with no inspect statement, when >>> attached under policy-map generates this: >>> %No specific protocol configured in class test for inspection. All >>> protocols will be inspected >>> >>> I don't know the answer for the question but would shoot that is not >>> possible as King said >>> >>> >>> On Tue, Mar 1, 2011 at 9:43 AM, Kingsley Charles < >>> [email protected]> wrote: >>> >>>> BGP and RIP which uses TCP and UDP can be inspected. But not sure, if >>>> OSPF and EIGRP which are directly encapsulated in IP can be inspected using >>>> their protocol numbers. >>>> >>>> You can configure access-list for ospf/eigrp and associate to the class >>>> map for testing it. >>>> >>>> With regards >>>> Kings >>>> >>>> On Tue, Mar 1, 2011 at 10:42 AM, Richard Chan >>>> <[email protected]>wrote: >>>> >>>>> >>>>> Hi, >>>>> >>>>> What is the best practice for allowing IGP traffic >>>>> when self zones are configured in both directions? >>>>> >>>>> 1. Say you have self-Outside zone and Outside-self zone configured. >>>>> >>>>> 2. For IGPs like OSPF/RIP/EIGRP would you add a PASS action class >>>>> to both zone-pairs? Or do you "inspect" one of them. I don't think of >>>>> IGP peerings as "sessions" in the UDP/TCP sense. >>>>> >>>>> >>>>> !--- >>>>> policy-map type inspect XXX-out-self >>>>> class IGP >>>>> pass >>>>> !--- apply to Outside-self zone-pair >>>>> !--- >>>>> policy-map type inspect XXX-self-out >>>>> class IGP >>>>> pass >>>>> !--- apply to self-Outside zone-pair >>>>> >>>>> >>>>> _______________________________________________ >>>>> For more information regarding industry leading CCIE Lab training, >>>>> please visit www.ipexpert.com >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> >>> >>> >>> -- >>> Bruno Fagioli (by Jaunty Jackalope) >>> Cisco Security Professional >>> >> >> >> >> -- >> Bruno Fagioli (by Jaunty Jackalope) >> Cisco Security Professional >> > > > > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
