Correct Tyson. That confirms our thoughts FYI
---------- Forwarded message ---------- From: Bruno <[email protected]> Date: Tue, Mar 1, 2011 at 12:56 PM Subject: Re: [OSL | CCIE_Security] ZBF with self-zones configured: IGPs - PASS or INSPECT? To: Kingsley Charles <[email protected]> No Rack1R3#sh access-l 102 Extended IP access list 102 10 permit ospf any any After 1h and 10min having a route installed O 2.2.2.2 [110/2] via 136.1.23.2, 01:10:11, FastEthernet0/1 I still ain't getting any hits at all Rack1R3#sh policy-map type inspect zone outside-self Zone-pair: outside-self Service-policy inspect : outside-self Class-map: outside-self (match-any) Match: protocol tcp 0 packets, 0 bytes 30 second rate 0 bps Match: protocol udp 0 packets, 0 bytes 30 second rate 0 bps Match: protocol icmp 5 packets, 400 bytes 30 second rate 0 bps Inspect Packet inspection statistics [process switch:fast switch] icmp packets: [5:0] Session creations since subsystem startup or last reset 5 Current session counts (estab/half-open/terminating) [0:0:0] Maxever session counts (estab/half-open/terminating) [0:1:0] Last session created 00:57:51 Last statistic reset never Last session creation rate 0 Maxever session creation rate 5 Last half-open session total 0 *Class-map: ospf (match-all) Match: access-group 102 Pass 0 packets, 0 bytes* Class-map: class-default (match-any) Match: any Drop 15 packets, 1200 bytes I think the answers for that would be that either CBAC or ZBF are there for TCP/UDP/ICMP only and as soon as they have no capabilities on OSPF and such, they do not inspect that in any ways. I am believing in this to answer such output On Tue, Mar 1, 2011 at 12:40 PM, Kingsley Charles < [email protected]> wrote: > Is the hit counter for the ospf acl incrementing? > > > With regards > Kings > > > On Tue, Mar 1, 2011 at 8:23 PM, Bruno <[email protected]> wrote: > >> Well, not sure what it means but I lab here and no OSPF packets got >> dropped so far >> >> policy-map type inspect outside-self >> class type inspect outside-self >> inspect >> class type inspect ospf >> pass >> >> class-map type inspect match-all ospf >> match access-group 102 >> class-map type inspect match-all outside-self >> match protocol tcp >> match protocol udp >> match protocol icmp >> >> access-l 102 permit ospf any any >> >> Neither any packets hit the ACLs >> >> Rack1R3(config)#do sh policy-map ty ins zone outside-self >> Zone-pair: outside-self >> >> Service-policy inspect : outside-self >> >> Class-map: outside-self (match-all) >> Match: protocol tcp >> Match: protocol udp >> Match: protocol icmp >> Inspect >> Session creations since subsystem startup or last reset 0 >> Current session counts (estab/half-open/terminating) [0:0:0] >> Maxever session counts (estab/half-open/terminating) [0:0:0] >> Last session created never >> Last statistic reset never >> Last session creation rate 0 >> Maxever session creation rate 0 >> Last half-open session total 0 >> >> *Class-map: ospf (match-all) >> Match: access-group 102 >> Pass >> 0 packets, 0 bytes* >> >> Class-map: class-default (match-any) >> Match: any >> Drop (default action) >> 5 packets, 400 bytes >> >> Any idea why it did not hit on ACLs. That wou >> >> >> On Tue, Mar 1, 2011 at 11:26 AM, Bruno <[email protected]> wrote: >> >>> More info about this >>> Tried to create a PAM and that`s the message I get >>> %Unable to add port-map entry. >>> TCP or UDP protocol must be specified for user-defined applications >>> >>> >>> On Tue, Mar 1, 2011 at 11:24 AM, Bruno <[email protected]> wrote: >>> >>>> I don't think your suggestion would work King. >>>> I think when you go under policy-map to attach a class-map you must have >>>> configured at least 1 INSPECT. A class-map with no inspect statement, when >>>> attached under policy-map generates this: >>>> %No specific protocol configured in class test for inspection. All >>>> protocols will be inspected >>>> >>>> I don't know the answer for the question but would shoot that is not >>>> possible as King said >>>> >>>> >>>> On Tue, Mar 1, 2011 at 9:43 AM, Kingsley Charles < >>>> [email protected]> wrote: >>>> >>>>> BGP and RIP which uses TCP and UDP can be inspected. But not sure, if >>>>> OSPF and EIGRP which are directly encapsulated in IP can be inspected >>>>> using >>>>> their protocol numbers. >>>>> >>>>> You can configure access-list for ospf/eigrp and associate to the class >>>>> map for testing it. >>>>> >>>>> With regards >>>>> Kings >>>>> >>>>> On Tue, Mar 1, 2011 at 10:42 AM, Richard Chan >>>>> <[email protected]>wrote: >>>>> >>>>>> >>>>>> Hi, >>>>>> >>>>>> What is the best practice for allowing IGP traffic >>>>>> when self zones are configured in both directions? >>>>>> >>>>>> 1. Say you have self-Outside zone and Outside-self zone configured. >>>>>> >>>>>> 2. For IGPs like OSPF/RIP/EIGRP would you add a PASS action class >>>>>> to both zone-pairs? Or do you "inspect" one of them. I don't think of >>>>>> IGP peerings as "sessions" in the UDP/TCP sense. >>>>>> >>>>>> >>>>>> !--- >>>>>> policy-map type inspect XXX-out-self >>>>>> class IGP >>>>>> pass >>>>>> !--- apply to Outside-self zone-pair >>>>>> !--- >>>>>> policy-map type inspect XXX-self-out >>>>>> class IGP >>>>>> pass >>>>>> !--- apply to self-Outside zone-pair >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> For more information regarding industry leading CCIE Lab training, >>>>>> please visit www.ipexpert.com >>>>>> >>>>>> >>>>> >>>>> _______________________________________________ >>>>> For more information regarding industry leading CCIE Lab training, >>>>> please visit www.ipexpert.com >>>>> >>>>> >>>> >>>> >>>> -- >>>> Bruno Fagioli (by Jaunty Jackalope) >>>> Cisco Security Professional >>>> >>> >>> >>> >>> -- >>> Bruno Fagioli (by Jaunty Jackalope) >>> Cisco Security Professional >>> >> >> >> >> -- >> Bruno Fagioli (by Jaunty Jackalope) >> Cisco Security Professional >> > > -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
