*3) FPM* For me FPM is still a little bit unstable technology (or maybe I just test it too hard :-) ). Last week for example, when I was doing FPM labs for 3 days, I was able to crash the router at least once a day :-D But it happens only when I modify class-maps when the policy-map is already applied to the interface with service-policy command. So problably the solution is to remove policy-map from the interface before making changes to it. I have also noticed that sometimes my FPM configuration does not work until I simply reboot the router - then it starts working fine (although I did not change the configuration).
About your question on the difference between access-control and stack type difference: when you use PHDF files, you *have to* use stack class-map in order to tell the router about the order of headers (e.g. first IP, then TCP). When you use "match start l3-start offset" instead of matching protocol fields, you can just simply have only access-control class-map, because you use offset from the begging of the whole packet. So for example, when you have to match HTTP traffic, you can do this in two ways: *First method (using offset from the beginning of the packet):* class-map type access-control match-all c-HTTP-GET match start l3-start offset 9 size 1 eq 6 match start l3-start offset 22 size 2 eq 80 In this case you can create only one policy-map: policy-map type access-control p-HTTP-GET class c-HTTP-GET drop log *Second method (using PHDF files and matching protocol fields):* load protocol system:fpm/phdf/ip.phdf load protocol system:fpm/phdf/tcp.phdf class-map type stack match-all c-TCP match field IP protocol eq 6 next TCP class-map type access-control match-all c-HTTP-GET match field TCP dest-port eq 80 In the second method you have to have two policy-maps: policy-map type access-control p-HTTP-GET class c-HTTP-GET drop log policy-map type access-control p-TCP class c-TCP service-policy p-HTTP-GET Marta Sokolowska. 2012/3/15 Castro, Allan <[email protected]> Please help me clarify this:**** > > ** ** > > **1) **VLAN hopping attack --> In order to mitigate this attack we > would configure the switchport to be an access port (switchport mode > access). It also says by reading the documentation that UNUSED ports should > be assigned to another vlan other than 1. So for this mitigation I need > configure the port in question to be an access port and ALL other ports > that are unused I would need to configure them in another vlan other than > 1. Is this correct?**** > > ** ** > > **2) **IP Source Guard --> We have Strict and loose mode. What kind > of wording can we identify when they are asking us to configure strict (ip > verify unicast reverse-path) or loose mode (ip verify unicast source > reachable-via any)**** > > ** ** > > **3) **FPM --> In my notes I have that we need to be careful when > applying the policy to the interface using FPM as it could crash the > device. In what situation this could happen and what sort of things we need > to be aware of?**** > > When doing FPM it is a matter of breaking down the parts of the question. > Layer 3 and Layer 4 for example on Yusuf lab book. Lab 1 question 8.3.**** > > First class-map is of type access-control which matches port 23 and > destination ip which we are detailing here the IP and service to be used > (Layer 3 and 4)**** > > Second class.map is of type STACK in which we define what protocol the > service runs on which is TCP. I think that once you have the class-maps > done the policy-maps are easy and applying it to the control-plane is > easier. Please comment and whats is the difference between class-maps type > access-control and STACK ?**** > > ** ** > > **4) **MQC match-any & match-all --> When using either option I want > to make sure my understaing is correct. If we use the match-any then it > means that under the class-map it can match ANY of the options we have > configured, it can match 1, 2 or all at once and it would still work? > Using the match-all it means that it MUST match all the rules we have > configured else it would not apply, is this correct?**** > > ** ** > > **5) **control-plane host --> We would apply a policy configured on > this if we needed to allow/drop etc any management traffic or routing > protocols, correct?**** > > ** ** > > **6) **control-plane --> We would apply a policy configured on this > if we needed to police specific traffic or set a queue-threshold for > example?**** > > ** ** > > **7) **Important HEX codes --> Any other ones that we need to know > besides the following?**** > > ARP: 0x806 IP: 0x800 IPX: 0x8137 STP: 0x4242 IPV6: 0x86DD STP LSAP: > 0xAAAA**** > > ** ** > > **8) **DHCP snooping --> When is it neccesary to use the command in > the switch: no ip dhcp snooping information option**** > > ** ** > > **9) **ACL configuration --> if the question does NOT say to be > specific when configuring ACLs to open traffic for let´s say TCP 23, 49, 22 > etc. Can we do a permit tcp any any eq 23 etc etc?**** > > ** ** > > **10) **On the Yusof practice labs, LAB 2 question 2.4 it says: Your > solution must have CBAC inspection applied to any one interface only. I am > unclear as to what this means?**** > > ** ** > > *Strategy: *What I am thinking on doing when i start the lab is drawing > in a piece of paper the # of routers, ASAs, and switches one below the > other one and writting next to it important things to note for example:*** > * > > ** ** > > router1 --> ZBF, CoPP**** > > Asa1 --> nat-control, cut-through proxy (http)**** > > switch1 --> Vlan access map (v 51)**** > > ** ** > > Things that I could easily forget but having it on paper makes it easier > while facing a new taks that traffic will be going through any other > device. What do you think ?**** > > ** ** > > *Thanks!***** > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
