Bruno, I have already sent a mail on this. FPM doesn't work well with serial, serial sub-interfaces and Ethernet sub-interfaces. Try applying the access-control policy directly without using stack class-maps, it will work.
Below is the mail that I sent earlier. FPM will not work with with Ethernet sub-interface, serial interface and Serial Sub-interface. I did some investigation and following is result: The same is applicable to serial and serial sub-interfaces. When you apply FPM involved with stack class-maps, FPM will not work with Ethernet sub-interface, serial interface and Serial Sub-interface. Following are samples in which first one directly applies the stack policy map to the interface. class-map type stack match-all fpm match field IP protocol eq 6 next TCP policy-map type access-control fpm class fpm drop interface gigabitEthernet 0/0.1* *service-policy type access-control fpm class-map type stack match-all iptcp match field IP protocol eq 6 next TCP class-map type access-control match-all syn match field TCP control-bits eq 2 mask 0x3D policy-map type access-control syn class syn drop policy-map type access-control iptcp class iptcp service-policy syn interface gigabitEthernet 0/0.1* *service-policy type access-control iptcp When you apply FPM involved with access-control control-map directly, FPMwill work with with Ethernet sub-interface, serial interface and Serial Sub-interface. Following are two samples: class-map type access-control match-any frag match field IP flags eq 1 mask 0x6 match field IP fragment-offset gt 0 policy-map type access-control frag class frag drop interface gigabitEthernet 0/0.1* *service-policy type access-control frag With regards Kings With regards Kings On Wed, Jul 6, 2011 at 10:41 PM, Bruno <[email protected]> wrote: > hi guys, > > Sorry for another thread for FPM. I cannot get this working > Match UDP packets port 50 coming in thru serial interface (physical) > > I configured the following: > > class-map type access-control match-all ESP > match field UDP dest-port eq 50 > > class-map type stack match-all stack > match field layer 3 IP protocol eq 17 next UDP > ! tried "match field ip protocol eq 17 next udp" > ! tried "match field ip protocol eq 0x11 next udp" > ! tried "match field layer 3 ip protocol eq 0x11 next UDP" > > policy-map type access-control ESP > class ESP > drop > log > policy-map type access-control stack > class stack > service-policy ESP > > int se0/1/0 > service type access-con input stack > > Nothing hits this. I am testing using traceroute. > I also tried to eliminate the condition port 50 and having the following: > > class-map type stack match-all stack > match field layer 3 IP protocol eq 17 next UDP > policy-map type access-control stack > class stack > log > > Never hits this class stack without any conditions, only match udp packets. > > Any suggestion at this point is valid > > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
