I learn something new every day. Thank you guys, I'll read about it and update my personal notes as well.
On Wednesday, June 20, 2012, Imre Oszkar wrote: > I have to disagree with you on this:) I don't think that ICMP type and > code are the same. > > For instance Type 3 code 0 means Net Unreachable so if you match only by > code you will drop/pass more than icmp echo/reply. > > Take a look here: > > http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xml#icmp-parameters-types > > > > On Wed, Jun 20, 2012 at 3:27 PM, Fawad Khan > <[email protected]<javascript:_e({}, 'cvml', '[email protected]');> > > wrote: > >> Icmp Code/ type 0 mean echo request and icmp code/type 8 means echo reply. >> Type/code 3 means Icmp unreachable. >> >> Code and type means the same thing, memorizing or knowing where to find >> the Icmp code types or any port number is very important. I sent a link >> couple of months back which is inside Asa config guide which serial all the >> port numbers, protocols numbers. >> >> On Wednesday, June 20, 2012, Imre Oszkar wrote: >> >>> Hi Mike, >>> >>> Why did you choose to look for code 0? Code 0 means different thing for >>> each ICMP type. >>> I think for echo messages you should look for icmp type 8 . >>> Now the interesting part is that if you try to match icmp type 8 >>> instead of code 8 your solution won't work. >>> >>> >>> Oszkar >>> >>> >>>> >>>> Annnnnnnd Bingo, >>>> >>>> I was right, since it is encapsulated and not Encrypted, we can match >>>> whatever it is inside on the GRE packet... we are matching, not >>>> crafting.... >>>> >>>> Here is the example of dropping ICMP echo messages encapsulated on >>>> GRE... >>>> >>>> Class Map type access-control match-all ICMP (id 2) >>>> Match field ICMP code eq 0 mask 0x1 >>>> >>>> Class Map type stack match-all STACK-GRE (id 1) >>>> Match field IP protocol eq 0x2F next ICMP >>>> >>>> >>>> Policy Map type access-control STACK-GRE >>>> Class STACK-GRE >>>> service-policy ICMP-DROP-GRE >>>> >>>> Policy Map type access-control ICMP-DROP-GRE >>>> Class ICMP >>>> drop >>>> >>>> >>>> >>>> >>>> Router1#sh policy-map type access-control interface fa 0/1 >>>> FastEthernet0/1 >>>> >>>> Service-policy access-control input: STACK-GRE >>>> >>>> Class-map: STACK-GRE (match-all) >>>> 5 packets, 690 bytes >>>> 5 minute offered rate 0 bps >>>> Match: field IP protocol eq 0x2F next ICMP >>>> >>>> Service-policy access-control : ICMP-DROP-GRE >>>> >>>> Class-map: ICMP (match-all) >>>> 5 packets, 690 bytes >>>> 5 minute offered rate 0 bps >>>> Match: field ICMP code eq 0 mask 0x1 >>>> drop >>>> >>>> Class-map: class-default (match-any) >>>> 0 packets, 0 bytes >>>> 5 minute offered rate 0 bps, drop rate 0 bps >>>> Match: any >>>> >>>> Class-map: class-default (match-any) >>>> 2 packets, 1236 bytes >>>> 5 minute offered rate 0 bps, drop rate 0 bps >>>> Match: any >>>> >>>> >>>> >> >> -- >> FNK >> > > -- FNK
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
