Re: [OSL | CCIE_Security] CCIE_Security Digest, Vol 72, Issue 75

Wed, 20 Jun 2012 15:37:25 -0700 

Oszkar, 

You are right. I sent a clarification on this exercise it will drop any ICMP 
message within GRE that has a code 0 on them. Seems that there is a problem 
with FPM because it cannot match types correctly. If  I match code 0 it will 
drop both ICMP echo and echo reply because they both have code 0 on them. 

Mike


Date: Wed, 20 Jun 2012 13:40:32 -0700
Subject: Re: CCIE_Security Digest, Vol 72, Issue 75
From: [email protected]
To: [email protected]
CC: [email protected]

Hi Mike, 

Why did you choose to look for code 0? Code 0 means different thing for each 
ICMP type.
I think for echo messages you should look for icmp type 8 .
Now the interesting part is that if you try to match icmp type 8  instead of 
code 8 your solution won't work.



Oszkar






Annnnnnnd Bingo,



I was right, since it is encapsulated and not Encrypted, we can match whatever 
it is inside on the GRE packet... we are matching, not crafting....



Here is the example of dropping ICMP echo messages encapsulated on GRE...



 Class Map type access-control match-all ICMP (id 2)

   Match field ICMP code eq 0 mask 0x1



 Class Map type stack match-all STACK-GRE (id 1)

   Match field IP protocol eq 0x2F next ICMP





 Policy Map type access-control STACK-GRE

    Class STACK-GRE

      service-policy ICMP-DROP-GRE



  Policy Map type access-control ICMP-DROP-GRE

    Class ICMP

      drop









Router1#sh policy-map type access-control interface fa 0/1

 FastEthernet0/1



  Service-policy access-control input: STACK-GRE



    Class-map: STACK-GRE (match-all)

      5 packets, 690 bytes

      5 minute offered rate 0 bps

      Match: field IP protocol eq 0x2F next ICMP



      Service-policy access-control : ICMP-DROP-GRE



        Class-map: ICMP (match-all)

          5 packets, 690 bytes

          5 minute offered rate 0 bps

          Match: field ICMP code eq 0 mask 0x1

      drop



        Class-map: class-default (match-any)

          0 packets, 0 bytes

          5 minute offered rate 0 bps, drop rate 0 bps

          Match: any



    Class-map: class-default (match-any)

      2 packets, 1236 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: any



                                          
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to