Thanks, Ben.
Johan Bornman Integrated Systems Consulting (Pty) Ltd Cell: 082 783 3635 On 13 Sep 2012, at 6:29, "Ben Shaw" <[email protected]> wrote: > Hi All > > having a look at the class-map command 'match port' it seems to me that this > port only matches the destination port of a UDP or TCP flow. As an example, I > configured a class map to match port 179 in order to configure TCP parameters > on the global policy to get BGP authentication working. Below is the relevant > configuration: > > tcp-map tmap1 > tcp-options range 19 19 allow > class-map BGP > match port tcp eq bgp > policy-map global_policy > class BGP > set connection random-sequence-number disable > set connection advanced-options tmap1 > > When I test the functionality of this configuration with the "show > service-policy flow" command in either direction I get the following: > > Rack1ASA1# show service-policy flow tcp host 174.1.124.5 eq 50000 host > 174.1.127.5 eq 179 > Global policy: > Service-policy: global_policy > Class-map: BGP > Match: port tcp eq bgp > Action: > Input flow: set connection random-sequence-number disable > set connection advanced-options tmap1 > Class-map: class-default > Match: any > Action: > Input flow: > > Rack1ASA1# show service-policy flow tcp host 174.1.127.5 eq 179 host > 174.1.124.5 eq 50000 > Global policy: > Service-policy: global_policy > Class-map: class-default > Match: any > Action: > Input flow: > > Rack1ASA1# show service-policy flow tcp host 174.1.127.5 eq 50000 host > 174.1.124.5 eq 179 > Global policy: > Service-policy: global_policy > Class-map: BGP > Match: port tcp eq bgp > Action: > Input flow: set connection random-sequence-number disable > set connection advanced-options tmap1 > Class-map: class-default > Match: any > Action: > Input flow: > > Rack1ASA1# show service-policy flow tcp host 174.1.124.5 eq 179 host > 174.1.127.5 eq 50000 > Global policy: > Service-policy: global_policy > Class-map: class-default > Match: any > Action: > Input flow: > > As can be seen above, the BGP class map is matched regardless of which side > of the firewall the peering is initiated on but not for TCP response packets > (source port 179). As a side note - it would seem that considering the BGP > peering still forms with this configuration that allowing TCP option 19 and > disabling TCP randomization is only required for traffic from the initiating > peer (to destination port 179) and not required for TCP response packets. > > But what about in other situations where it is important that both directions > of a flow are matched by the class map - initiating traffic to the > destination port defined in the class map and from the same port for response > traffic. In such a case, the 'match port' command is not suitable as it will > not match return traffic using the defined port as the source port. It is > required to use an ACL like below > > access-list BGP extended permit tcp any eq bgp any > access-list BGP extended permit tcp any any eq bgp > class-map BGP > match access-list BGP > > As can be seen below, the flow is now matched in both directions: > > Rack1ASA1# show service-policy flow tcp host 174.1.124.5 eq 50000 host > 174.1.127.5 eq 179 > Global policy: > Service-policy: global_policy > Class-map: BGP > Match: access-list BGP > Access rule: permit tcp any any eq bgp > Action: > Input flow: set connection random-sequence-number disable > set connection advanced-options tmap1 > Class-map: class-default > Match: any > Action: > Input flow: > > Rack1ASA1# show service-policy flow tcp host 174.1.127.5 eq 179 host > 174.1.124.5 eq 50000 > Global policy: > Service-policy: global_policy > Class-map: BGP > Match: access-list BGP > Access rule: permit tcp any eq bgp any > Action: > Input flow: set connection random-sequence-number disable > set connection advanced-options tmap1 > Class-map: class-default > Match: any > Action: > Input flow: > > Rack1ASA1# show service-policy flow tcp host 174.1.127.5 eq 50000 host > 174.1.124.5 eq 179 > Global policy: > Service-policy: global_policy > Class-map: BGP > Match: access-list BGP > Access rule: permit tcp any any eq bgp > Action: > Input flow: set connection random-sequence-number disable > set connection advanced-options tmap1 > Class-map: class-default > Match: any > Action: > Input flow: > > Rack1ASA1# show service-policy flow tcp host 174.1.124.5 eq 179 host > 174.1.127.5 eq 50000 > Global policy: > Service-policy: global_policy > Class-map: BGP > Match: access-list BGP > Access rule: permit tcp any eq bgp any > Action: > Input flow: set connection random-sequence-number disable > set connection advanced-options tmap1 > Class-map: class-default > Match: any > Action: > Input flow: > > Anyway, this did start as a question to clarify my understanding but I seemed > to answer my own question and thought it may be worthwhile sharing anyway. Of > note is that if you need to perform some kind of advanced policy on traffic > in a TCP/UDP flow bidirectionally, the 'match port' command is not suitable > as it will only work in one direction, you will need something like an ACL > matching the port as both a source and destination port. > > Ben > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
