I put it with and without the mask same result. Mike...
From: [email protected] To: [email protected] CC: [email protected] Subject: Re: [OSL | CCIE_Security] FPM matching Date: Tue, 19 Jun 2012 17:11:04 +0000 A quick question, Mike. Did you manually entered mask (0x1) in the access-control class or IOS automatically added it ? Will it work without the mask? From: Mike Rojas <[email protected]> Date: Monday, June 18, 2012 11:47 PM To: Eugene Pefti <[email protected]> Cc: "[email protected]" <[email protected]> Subject: RE: [OSL | CCIE_Security] FPM matching Just one more input, that one will drop ICMP messages with code 0 on them :D Any other traffic wont match... From: [email protected] To: [email protected] CC: [email protected] Subject: RE: [OSL | CCIE_Security] FPM matching Date: Tue, 19 Jun 2012 00:11:59 -0600 Annnnnnnd Bingo, I was right, since it is encapsulated and not Encrypted, we can match whatever it is inside on the GRE packet... we are matching, not crafting.... Here is the example of dropping ICMP encapsulated on GRE... Class Map type access-control match-all ICMP (id 2) Match field ICMP code eq 0 mask 0x1 Class Map type stack match-all STACK-GRE (id 1) Match field IP protocol eq 0x2F next ICMP Policy Map type access-control STACK-GRE Class STACK-GRE service-policy ICMP-DROP-GRE Policy Map type access-control ICMP-DROP-GRE Class ICMP drop Router1#sh policy-map type access-control interface fa 0/1 FastEthernet0/1 Service-policy access-control input: STACK-GRE Class-map: STACK-GRE (match-all) 5 packets, 690 bytes 5 minute offered rate 0 bps Match: field IP protocol eq 0x2F next ICMP Service-policy access-control : ICMP-DROP-GRE Class-map: ICMP (match-all) 5 packets, 690 bytes 5 minute offered rate 0 bps Match: field ICMP code eq 0 mask 0x1 drop Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Class-map: class-default (match-any) 2 packets, 1236 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any From: [email protected] To: [email protected] Date: Mon, 18 Jun 2012 22:25:53 -0600 CC: [email protected] Subject: Re: [OSL | CCIE_Security] FPM matching Ok but here is my question, match field IP protocol eq 0x4 next IP We are saying there, in the IP protocol it will come IP again wouldnt it? The main idea if I understand correctly is to match and IP header twice... So, I would think that this line match field IP protocol eq 0x4 next IP and this line, match field IP protocol eq 0x6 next TCP Would match it twice, wouldnt it? Regarding to your quiz, Class-map type stack match-all GRE-stack match field IP protocol eq 0x2f next <?????> Mike From: [email protected] To: [email protected] CC: [email protected] Subject: RE: [OSL | CCIE_Security] FPM matching Date: Tue, 19 Jun 2012 02:45:27 +0000 My $0.02 to what I have always thought about it. First, I’d stay away from “stack-start l2-start” if I know for sure that IP->TCP runs over ETHER and doesn’t encapsulates it somehow differently, i.e. I’d start my stack type class-map with IP matching thus making router’s life easier. But it’s perfectly OK to start from L2 in the lab to show that we do it the right way ;) Then right to your question. Take a look at this capture (IP_in_IP.cap) http://packetlife.net/captures/category/tunneling/ To match on the first IP header following after Ethernet II header we’d need to use match layer 2 IP protocol eq 4 next IP to define the sequence of how they are enclosed into each other. Then you use layer 3 digit to tell the router that next goes TCP protocol which is already layer 4. match field layer 3 IP protocol eq 6 next My class-map would look like this and I think it is the same as yours class-map type stack match-all ETHER-IP-IP-TCP-STACK stack-start l2-start match field ETHER type eq 0x800 next IP match field IP protocol eq 0x4 next IP match field IP protocol eq 0x6 next TCP Now a quiz ;) How would we define the stack class-map for GRE.cap traffic (see example on the same page) Eugene From: Mike Rojas [mailto:[email protected]] Sent: Monday, June 18, 2012 6:44 PM To: Eugene Pefti Subject: RE: [OSL | CCIE_Security] FPM matching Hey, Sorry, class-map type stack match-all STACK stack start l2-start match field ETHER type eq 0x800 next IP match field layer 2 IP protocol eq 4 next IP match field layer 3 IP protocol eq 6 next TCP From: [email protected] To: [email protected] Subject: RE: [OSL | CCIE_Security] FPM matching Date: Tue, 19 Jun 2012 01:20:48 +0000 Hey Miky, Am I missing something? How can you say “match layer ....” under the type stack class-map? It doesn’t except it. R3(config-cmap)#match layer ? % Unrecognized command You can only provide “layer” keyword after “field” one. From:[email protected] [mailto:[email protected]] On Behalf Of Mike Rojas Sent: Monday, June 18, 2012 3:29 PM To: [email protected] Subject: [OSL | CCIE_Security] FPM matching This is a question in regards IP to IP tunnel matching on FPM. class-map type stack match-all STACK stack start l2-start match field ETHER type eq 0x800 next IP match layer 2 IP protocol eq 4 next IP match layer 3 IP protocol eq 6 next TCP First, what is the difference between the last line and "match field IP protocol eq 6 next TCP" And second, where in that specific stack we are saying that we will see an IP header and then another one? I was first believing that when we do something like "match field ETHER type eq 0x800 next IP" and then we say "match layer 3 IP protocol eq 6 next TCP" we will be saying match IP header twice, but I see this "match layer 2 IP protocol eq 4 next IP" and that is where I get lost. Any clarification would be appreciated. Mike _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
