We can use HEX or decimal in FPM. Only ZFW policy maps have class default with default of drop action.
With regards Kings On Thu, May 3, 2012 at 1:36 PM, Eugene Pefti <[email protected]>wrote: > One more look at your question produced another thought. > Don't we have to use port numbers in HEX ? In your case it should be > "match field TCP dest-port 0x16" for SSH port 22 > > Secondly, in your particular task, Kings, can't we make do with just one > class-map of stack type by matching the source address and TCP port as > follows: > > Class-map type stack match-all IP-TCP-STACK > Match field IP protocol eq 0x6 next TCP > Match field IP source-addr eq 4.8.6.0 mask 255.255.255.0 > match field TCP dest-port eq 0x16 next IP > > As far as I understand you don't have to look into the payload of the > packet to match for more regex or bits. Then your policy-map would > reference this class-map and the default class-map would drop everything > else > > Eugene > > From: Kingsley Charles <[email protected]> > Date: Wed, 2 May 2012 21:17:05 +0530 > > To: <[email protected]> > Subject: [OSL | CCIE_Security] FPM to restrict vty access > > Hi all > > The task asks to allow ssh only from 4.8.6.0/24 and the restriction is > that we should not use access-lists. So FPM is the only answer. > > In the following config, class-map get's matched and 4.8.6.0/24 is > allowed in. The issue is that I need a wildcard class-map to block other > ssh connections. But that doesn't > work in the following solution. > > > class-map type access-control match-all telblk > match field TCP dest-port eq 22 > > class-map type access-control match-all vlan6 > match field TCP dest-port eq 22 > match field IP source-addr eq 4.8.6.0 mask 0.0.0.255 > > class-map type stack match-all tcp > stack-start l2-start > match field ETHER type eq 0x800 next IP > match field IP protocol eq 6 next TCP > > > policy-map type access-control ssh > class vlan6 > class telblk > drop > > policy-map type access-control tcp > class tcp > service-policy ssh > > control-plane > service-policy type access-control input tcp > > > The following two alternative class-maps also doesn't work > > class-map type access-control match-all telblk > match field ip source-addr range 0.0.0.0 255.255.255.255 > > class-map type access-control match-all telblk > match field ip source-addr 0.0.0.0 mask 255.255.255.255 > > > > > > With regards > Kings > _______________________________________________ For more information > regarding industry leading CCIE Lab training, please visit > www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
