Hey, Yeah, weird isnt it? Most people think that is mandatory to have a "next GRE" when mounting the stack, if you are not going to match anything on that specific header, why would you mount it? I dont know... I ended up liking it a lot, of course it can get really nasty.
Mike Date: Wed, 20 Jun 2012 15:52:05 -0700 Subject: Re: CCIE_Security Digest, Vol 72, Issue 75 From: [email protected] To: [email protected] CC: [email protected] Hi Mike, Code 0 means no code, and majority of the ICMP types have code 0. As a result you will drop much more than echo/echo reply. And you are right, for some reason matching types for ICMP is not working in this case. On Wed, Jun 20, 2012 at 3:37 PM, Mike Rojas <[email protected]> wrote: Oszkar, You are right. I sent a clarification on this exercise it will drop any ICMP message within GRE that has a code 0 on them. Seems that there is a problem with FPM because it cannot match types correctly. If I match code 0 it will drop both ICMP echo and echo reply because they both have code 0 on them. Mike Date: Wed, 20 Jun 2012 13:40:32 -0700 Subject: Re: CCIE_Security Digest, Vol 72, Issue 75 From: [email protected] To: [email protected] CC: [email protected] Hi Mike, Why did you choose to look for code 0? Code 0 means different thing for each ICMP type. I think for echo messages you should look for icmp type 8 . Now the interesting part is that if you try to match icmp type 8 instead of code 8 your solution won't work. Oszkar Annnnnnnd Bingo, I was right, since it is encapsulated and not Encrypted, we can match whatever it is inside on the GRE packet... we are matching, not crafting.... Here is the example of dropping ICMP echo messages encapsulated on GRE... Class Map type access-control match-all ICMP (id 2) Match field ICMP code eq 0 mask 0x1 Class Map type stack match-all STACK-GRE (id 1) Match field IP protocol eq 0x2F next ICMP Policy Map type access-control STACK-GRE Class STACK-GRE service-policy ICMP-DROP-GRE Policy Map type access-control ICMP-DROP-GRE Class ICMP drop Router1#sh policy-map type access-control interface fa 0/1 FastEthernet0/1 Service-policy access-control input: STACK-GRE Class-map: STACK-GRE (match-all) 5 packets, 690 bytes 5 minute offered rate 0 bps Match: field IP protocol eq 0x2F next ICMP Service-policy access-control : ICMP-DROP-GRE Class-map: ICMP (match-all) 5 packets, 690 bytes 5 minute offered rate 0 bps Match: field ICMP code eq 0 mask 0x1 drop Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Class-map: class-default (match-any) 2 packets, 1236 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
