You are wonderful Marta,,Thank you so much. FNK
On Fri, Mar 16, 2012 at 12:07 PM, Marta Sokolowska < [email protected]> wrote: > *3) FPM* > > For me FPM is still a little bit unstable technology (or maybe I just test > it too hard :-) ). Last week for example, when I was doing FPM labs for 3 > days, I was able to crash the router at least once a day :-D But it happens > only when I modify class-maps when the policy-map is already applied to the > interface with service-policy command. So problably the solution is to > remove policy-map from the interface before making changes to it. I have > also noticed that sometimes my FPM configuration does not work until I > simply reboot the router - then it starts working fine (although I did not > change the configuration). > > About your question on the difference between access-control and stack > type difference: when you use PHDF files, you *have to* use stack > class-map in order to tell the router about the order of headers (e.g. > first IP, then TCP). When you use "match start l3-start offset" instead of > matching protocol fields, you can just simply have only access-control > class-map, because you use offset from the begging of the whole packet. > > So for example, when you have to match HTTP traffic, you can do this in > two ways: > > *First method (using offset from the beginning of the packet):* > > class-map type access-control match-all c-HTTP-GET > match start l3-start offset 9 size 1 eq 6 > match start l3-start offset 22 size 2 eq 80 > > In this case you can create only one policy-map: > > policy-map type access-control p-HTTP-GET > class c-HTTP-GET > drop > log > > *Second method (using PHDF files and matching protocol fields):* > > load protocol system:fpm/phdf/ip.phdf > load protocol system:fpm/phdf/tcp.phdf > > class-map type stack match-all c-TCP > match field IP protocol eq 6 next TCP > > class-map type access-control match-all c-HTTP-GET > match field TCP dest-port eq 80 > > In the second method you have to have two policy-maps: > > policy-map type access-control p-HTTP-GET > class c-HTTP-GET > drop > log > > policy-map type access-control p-TCP > class c-TCP > service-policy p-HTTP-GET > > Marta Sokolowska. > > 2012/3/15 Castro, Allan <[email protected]> > > > Please help me clarify this:**** >> >> ** ** >> >> **1) **VLAN hopping attack --> In order to mitigate this attack we >> would configure the switchport to be an access port (switchport mode >> access). It also says by reading the documentation that UNUSED ports should >> be assigned to another vlan other than 1. So for this mitigation I need >> configure the port in question to be an access port and ALL other ports >> that are unused I would need to configure them in another vlan other than >> 1. Is this correct?**** >> >> ** ** >> >> **2) **IP Source Guard --> We have Strict and loose mode. What kind >> of wording can we identify when they are asking us to configure strict (ip >> verify unicast reverse-path) or loose mode (ip verify unicast source >> reachable-via any)**** >> >> ** ** >> >> **3) **FPM --> In my notes I have that we need to be careful when >> applying the policy to the interface using FPM as it could crash the >> device. In what situation this could happen and what sort of things we need >> to be aware of?**** >> >> When doing FPM it is a matter of breaking down the parts of the question. >> Layer 3 and Layer 4 for example on Yusuf lab book. Lab 1 question 8.3.*** >> * >> >> First class-map is of type access-control which matches port 23 and >> destination ip which we are detailing here the IP and service to be used >> (Layer 3 and 4)**** >> >> Second class.map is of type STACK in which we define what protocol the >> service runs on which is TCP. I think that once you have the class-maps >> done the policy-maps are easy and applying it to the control-plane is >> easier. Please comment and whats is the difference between class-maps type >> access-control and STACK ?**** >> >> ** ** >> >> **4) **MQC match-any & match-all --> When using either option I >> want to make sure my understaing is correct. If we use the match-any then >> it means that under the class-map it can match ANY of the options we have >> configured, it can match 1, 2 or all at once and it would still work? >> Using the match-all it means that it MUST match all the rules we have >> configured else it would not apply, is this correct?**** >> >> ** ** >> >> **5) **control-plane host --> We would apply a policy configured on >> this if we needed to allow/drop etc any management traffic or routing >> protocols, correct?**** >> >> ** ** >> >> **6) **control-plane --> We would apply a policy configured on this >> if we needed to police specific traffic or set a queue-threshold for >> example?**** >> >> ** ** >> >> **7) **Important HEX codes --> Any other ones that we need to know >> besides the following?**** >> >> ARP: 0x806 IP: 0x800 IPX: 0x8137 STP: 0x4242 IPV6: 0x86DD STP LSAP: >> 0xAAAA**** >> >> ** ** >> >> **8) **DHCP snooping --> When is it neccesary to use the command in >> the switch: no ip dhcp snooping information option**** >> >> ** ** >> >> **9) **ACL configuration --> if the question does NOT say to be >> specific when configuring ACLs to open traffic for let´s say TCP 23, 49, 22 >> etc. Can we do a permit tcp any any eq 23 etc etc?**** >> >> ** ** >> >> **10) **On the Yusof practice labs, LAB 2 question 2.4 it says: Your >> solution must have CBAC inspection applied to any one interface only. I am >> unclear as to what this means?**** >> >> ** ** >> >> *Strategy: *What I am thinking on doing when i start the lab is drawing >> in a piece of paper the # of routers, ASAs, and switches one below the >> other one and writting next to it important things to note for example:** >> ** >> >> ** ** >> >> router1 --> ZBF, CoPP**** >> >> Asa1 --> nat-control, cut-through proxy (http)**** >> >> switch1 --> Vlan access map (v 51)**** >> >> ** ** >> >> Things that I could easily forget but having it on paper makes it easier >> while facing a new taks that traffic will be going through any other >> device. What do you think ?**** >> >> ** ** >> >> *Thanks!***** >> >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
