Good command, Ben. Never known and used it before. I wish something similar exists for IOS and specifically if we can test and verify some fancy FPM packet matching.
Eugene From: [email protected] [mailto:[email protected]] On Behalf Of Ben Shaw Sent: Monday, July 09, 2012 7:08 PM To: [email protected] Subject: [OSL | CCIE_Security] Favourite handy commands Hi All I thought it may be a good idea to start a thread where people can share some the handy commands, generally show or debug but could be anything relating to CCIE Security, that they use regularly and make their life a lot easier. So I'll start with one of mine for the ASA: ASA1# show service-policy flow Used for an ASA much like the "packet-tracer" command to define a packet by source and destination IP/Port to check what service policies are impacting on such a packet. Here is an example: ASA1# show service-policy flow tcp host 136.1.122.200 host 136.1.122.100 eq 80 Global policy: Service-policy: global_policy Class-map: class-default Match: any Action: Output flow: Interface outside: Service-policy: outside Class-map: HTTP-outside Match: access-list http-outside Access rule: permit tcp any host 136.1.122.100 eq www Action: Input flow: inspect http HTTP-MAP Input flow: set connection conn-max 100 embryonic-conn-max 500 Class-map: class-default Match: any Action: Output flow: Interface inside: Service-policy: INSIDE Class-map: class-default Match: any Action: Output flow: I find this can be a handy command to check and confirm that your service policies are being applied as you would hope for the traffic you define. Thanks Ben
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
