My $0.02 to what I have always thought about it. First, I'd stay away from "stack-start l2-start" if I know for sure that IP->TCP runs over ETHER and doesn't encapsulates it somehow differently, i.e. I'd start my stack type class-map with IP matching thus making router's life easier. But it's perfectly OK to start from L2 in the lab to show that we do it the right way ;)
Then right to your question. Take a look at this capture (IP_in_IP.cap) http://packetlife.net/captures/category/tunneling/ To match on the first IP header following after Ethernet II header we'd need to use match layer 2 IP protocol eq 4 next IP to define the sequence of how they are enclosed into each other. Then you use layer 3 digit to tell the router that next goes TCP protocol which is already layer 4. match field layer 3 IP protocol eq 6 next My class-map would look like this and I think it is the same as yours class-map type stack match-all ETHER-IP-IP-TCP-STACK stack-start l2-start match field ETHER type eq 0x800 next IP match field IP protocol eq 0x4 next IP match field IP protocol eq 0x6 next TCP Now a quiz ;) How would we define the stack class-map for GRE.cap traffic (see example on the same page) Eugene From: Mike Rojas [mailto:[email protected]] Sent: Monday, June 18, 2012 6:44 PM To: Eugene Pefti Subject: RE: [OSL | CCIE_Security] FPM matching Hey, Sorry, class-map type stack match-all STACK stack start l2-start match field ETHER type eq 0x800 next IP match field layer 2 IP protocol eq 4 next IP match field layer 3 IP protocol eq 6 next TCP ________________________________ From: [email protected]<mailto:[email protected]> To: [email protected]<mailto:[email protected]> Subject: RE: [OSL | CCIE_Security] FPM matching Date: Tue, 19 Jun 2012 01:20:48 +0000 Hey Miky, Am I missing something? How can you say "match layer ...." under the type stack class-map? It doesn't except it. R3(config-cmap)#match layer ? % Unrecognized command You can only provide "layer" keyword after "field" one. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Mike Rojas Sent: Monday, June 18, 2012 3:29 PM To: [email protected]<mailto:[email protected]> Subject: [OSL | CCIE_Security] FPM matching This is a question in regards IP to IP tunnel matching on FPM. class-map type stack match-all STACK stack start l2-start match field ETHER type eq 0x800 next IP match layer 2 IP protocol eq 4 next IP match layer 3 IP protocol eq 6 next TCP First, what is the difference between the last line and "match field IP protocol eq 6 next TCP" And second, where in that specific stack we are saying that we will see an IP header and then another one? I was first believing that when we do something like "match field ETHER type eq 0x800 next IP" and then we say "match layer 3 IP protocol eq 6 next TCP" we will be saying match IP header twice, but I see this "match layer 2 IP protocol eq 4 next IP" and that is where I get lost. Any clarification would be appreciated. Mike
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
