Hi Mike, Code 0 means no code, and majority of the ICMP types have code 0. As a result you will drop much more than echo/echo reply. And you are right, for some reason matching types for ICMP is not working in this case.
On Wed, Jun 20, 2012 at 3:37 PM, Mike Rojas <[email protected]> wrote: > Oszkar, > > You are right. I sent a clarification on this exercise it will drop any > ICMP message within GRE that has a code 0 on them. Seems that there is a > problem with FPM because it cannot match types correctly. If I match code > 0 it will drop both ICMP echo and echo reply because they both have code 0 > on them. > > Mike > > > ------------------------------ > Date: Wed, 20 Jun 2012 13:40:32 -0700 > Subject: Re: CCIE_Security Digest, Vol 72, Issue 75 > From: [email protected] > To: [email protected] > CC: [email protected] > > > Hi Mike, > > Why did you choose to look for code 0? Code 0 means different thing for > each ICMP type. > I think for echo messages you should look for icmp type 8 . > Now the interesting part is that if you try to match icmp type 8 instead > of code 8 your solution won't work. > > > Oszkar > > > > Annnnnnnd Bingo, > > I was right, since it is encapsulated and not Encrypted, we can match > whatever it is inside on the GRE packet... we are matching, not crafting.... > > Here is the example of dropping ICMP echo messages encapsulated on GRE... > > Class Map type access-control match-all ICMP (id 2) > Match field ICMP code eq 0 mask 0x1 > > Class Map type stack match-all STACK-GRE (id 1) > Match field IP protocol eq 0x2F next ICMP > > > Policy Map type access-control STACK-GRE > Class STACK-GRE > service-policy ICMP-DROP-GRE > > Policy Map type access-control ICMP-DROP-GRE > Class ICMP > drop > > > > > Router1#sh policy-map type access-control interface fa 0/1 > FastEthernet0/1 > > Service-policy access-control input: STACK-GRE > > Class-map: STACK-GRE (match-all) > 5 packets, 690 bytes > 5 minute offered rate 0 bps > Match: field IP protocol eq 0x2F next ICMP > > Service-policy access-control : ICMP-DROP-GRE > > Class-map: ICMP (match-all) > 5 packets, 690 bytes > 5 minute offered rate 0 bps > Match: field ICMP code eq 0 mask 0x1 > drop > > Class-map: class-default (match-any) > 0 packets, 0 bytes > 5 minute offered rate 0 bps, drop rate 0 bps > Match: any > > Class-map: class-default (match-any) > 2 packets, 1236 bytes > 5 minute offered rate 0 bps, drop rate 0 bps > Match: any > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
