Re: [OSL | CCIE_Security] FPM matching

[Mike Rojas]

Ohhh, 

But that is the catch, they payload is not encrypted, is encapsulated, not 
quite sure if the Router would be able to see the next header, cuz if you open 
the file there, you clearly see the next header which is ICMP... on ESP, yet 
there is no way to see it cuz it is in fact encrypted. 

I would say that if we are just matching rather than crafting the packet, I 
dont see why we wouldnt be able to match it... 

Mike 

From: eug...@koiossystems.com
To: mike_c...@hotmail.com
CC: ccie_security@onlinestudylist.com
Subject: RE: [OSL | CCIE_Security] FPM matching
Date: Tue, 19 Jun 2012 04:38:28 +0000









I’d rather say that “match field IP protocol eq 0x4 next IP” will match
 the first IP header that goes after ETHER header and “match field IP protocol 
eq 0x6 next TCP”
Will match for the second IP header that goes after the first IP header.
 
As for the quiz I was not 100 percent sure myself because there’s no GRE 
protocol phdf files loaded to say “match field IP protocol eq 0x2f next GRE” 
;)))
 
Eugene
 


From: Mike Rojas [mailto:mike_c...@hotmail.com]


Sent: Monday, June 18, 2012 9:26 PM

To: Eugene Pefti

Cc: ccie_security@onlinestudylist.com

Subject: RE: [OSL | CCIE_Security] FPM matching


 

Ok but here is my question,

match field IP protocol eq 0x4 next IP
 
We are saying there, in the IP protocol it will come IP again wouldnt it?

 
The main idea if I understand correctly is to match and IP header twice... So, 
I would think that this line
 
match field IP protocol eq 0x4 next IP
 
and this line,

 
match field IP protocol eq 0x6 next TCP
 
Would match it twice, wouldnt it?

 
Regarding to your quiz,

 
Class-map type stack match-all GRE-stack
  match field IP protocol eq 0x2f next <?????>
 
 
Mike




From:
eug...@koiossystems.com

To: mike_c...@hotmail.com

CC: ccie_security@onlinestudylist.com

Subject: RE: [OSL | CCIE_Security] FPM matching

Date: Tue, 19 Jun 2012 02:45:27 +0000

My $0.02 to what I have always thought about it.
First, I’d stay away from “stack-start l2-start” if I know for sure that 
IP->TCP runs over ETHER and doesn’t encapsulates it somehow differently, i.e. 
I’d start
 my stack type class-map with IP matching thus making router’s life easier.
But it’s perfectly OK to start from L2 in the lab to show that we do it the 
right way ;)
 
Then right to your question. Take a look at this capture (IP_in_IP.cap)
http://packetlife.net/captures/category/tunneling/
 
To match on the first IP header following after Ethernet II header we’d need to 
use

 
match layer 2 IP protocol eq 4 next IP
 
to define the sequence of how  they are enclosed into each other.  Then you use 
layer 3 digit to tell the router that next goes TCP protocol which is already
 layer 4.
 
match
field layer 3 IP protocol eq 6 next
 
My class-map would look like this and I think it is the same as yours
 
class-map type stack match-all ETHER-IP-IP-TCP-STACK
stack-start l2-start
match field ETHER type eq 0x800 next IP
match field IP protocol eq 0x4 next IP
match field IP protocol eq 0x6 next TCP
 
Now a quiz ;)
How would we define the stack class-map for GRE.cap traffic (see example on the 
same page)
 
Eugene
 
 
 


From: Mike Rojas [mailto:mike_c...@hotmail.com]


Sent: Monday, June 18, 2012 6:44 PM

To: Eugene Pefti

Subject: RE: [OSL | CCIE_Security] FPM matching


 

Hey,




Sorry, 



class-map type stack match-all STACK

stack start l2-start 

match field ETHER type eq 0x800 next IP 

match field layer 2 IP protocol eq 4 next IP 

match field layer 3 IP protocol eq 6 next TCP 




From:
eug...@koiossystems.com

To: mike_c...@hotmail.com

Subject: RE: [OSL | CCIE_Security] FPM matching

Date: Tue, 19 Jun 2012 01:20:48 +0000

Hey Miky,
Am I missing something? How can you say “match layer ....” under the type stack 
class-map? It doesn’t except it.

 
R3(config-cmap)#match layer ?    

% Unrecognized command
 
You can only provide “layer” keyword after “field” one.
 


From:
ccie_security-boun...@onlinestudylist.com 
[mailto:ccie_security-boun...@onlinestudylist.com]
On Behalf Of Mike Rojas

Sent: Monday, June 18, 2012 3:29 PM

To: ccie_security@onlinestudylist.com

Subject: [OSL | CCIE_Security] FPM matching


 

This is a question in regards IP to IP tunnel matching on FPM.




class-map type stack match-all STACK

stack start l2-start 

match field ETHER type eq 0x800 next IP 

match layer 2 IP protocol eq 4 next IP 

match layer 3 IP protocol eq 6 next TCP 





First, what is the difference between the last line and "match field IP  
protocol eq 6 next TCP"



And second, where in that specific stack we are saying that we will see an IP 
header and then another one? I was first believing that when we do something 
like  "match field ETHER type eq 0x800 next IP" and then we say "match layer 3 
IP protocol eq 6 next TCP"
 we will be saying match IP header twice, but I see this "match layer 2 IP 
protocol eq 4 next IP" and that is where I get lost.




Any clarification would be appreciated. 



Mike







                                          
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com