[OSL | CCIE_Security] CPPr applied to host subinterface and port-filter doesn't show any statistics and blocks RIP traffic

Thu, 29 Mar 2012 19:29:38 -0700 

Guys,
I'm all baffled.
Doing INE 6.1 task.

R1---- R3----R2.
R3 is by far configured with only port-filter applied to control-plane host 
subinterface

class-map type port-filter match-any PORT-FILTER-CM
match  closed-ports
match not  port tcp 3020
match not  port tcp 4040
match not  port udp 520

policy-map type port-filter PORT-FILTER-PM
class PORT-FILTER-CM
   drop

control-plane host
service-policy type port-filter input PORT-FILTER-PM

Question 1, why on earth I don't see anything if run "show policy-map 
control-plane host" (as stated in the solution for this task)
One can only guess that instead of the above said show command another one 
gives me the output "show policy-map type port-filter control-plane host"

Question 2, with explicitly not matching traffic for RIP I still don't see any 
RIP updates on R3 router. I don't see any drops for the above said policy-map. 
It looks like I have drops under "closed-ports" section and then if RIP updates 
makes hits there then I don't understand this logic at all. The solution guide 
have "match closed-ports" in the first line.

R3#show policy-map type port-filter control-plane host
Control Plane Host

  Service-policy port-filter input: PORT-FILTER-PM

    Class-map: PORT-FILTER-CM (match-any)
      175 packets, 27846 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match:  closed-ports
        175 packets, 27846 bytes
        5 minute rate 0 bps
      Match: not  port tcp 3020
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: not  port tcp 4040
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: not  port udp 520
        0 packets, 0 bytes
        5 minute rate 0 bps
      drop

    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

And secondly, I don't understand why I have to do "match-all" instead of 
"match-any". If I change my PORT-FILTER-CM class map to use match-all then it 
all starts working.

Eugene

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to