Re: [OSL | CCIE_Security] IPexpert Vol 1 , Lab 7A , Task 7.13
The question should have stated FPM not NBAR. I have updated the question to be titled Flexible Packet Matching instead of MQC using NBAR. Regards, Tyson Scott - CCIE #13513 RS, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: tsc...@ipexpert.com Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (RS, Voice, Security Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com http://www.ipexpert.com/ From: ccie_security-boun...@onlinestudylist.com [mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Yogesh Gawankar Sent: Monday, September 13, 2010 1:09 AM To: OSL Security; Vybhav Ramachandran Subject: Re: [OSL | CCIE_Security] IPexpert Vol 1 , Lab 7A , Task 7.13 Ok Thx. In that case I feel we need to use Nbar if the question mentions it but maybe somebody else can shed more light on this. Speaking of nbar does anyone have any tips on engaging the nbar engine without the IOS crashing? Thanks and regards Yogesh Gawankar --- On Mon, 9/13/10, Vybhav Ramachandran tac...@tacack.com wrote: From: Vybhav Ramachandran tac...@tacack.com Subject: Re: [OSL | CCIE_Security] IPexpert Vol 1 , Lab 7A , Task 7.13 To: Yogesh Gawankar yogesh...@yahoo.com, OSL Security ccie_security@onlinestudylist.com Date: Monday, September 13, 2010, 2:23 PM Hello Yogesh, Well FPM is by far the most detailed method to match payload in the traffic , but i think NBAR could also be used to perform some crude payload matching. For example , suppose we want to match traffic destined to port UDP 6060 which has the hex string 98AB at an offset of 6 bytes from the start of the packet, we could define a custom protocol and configure it to match the string , like this: # ip nbar custom NAME OF THE CUSTOM PROTOCOL 6 hex 98AB destination udp 6060. This definitely is not as powerful as FPM in the sense that, for defining a custom NBAR protocol , we need to know the TCP or UDP ports that the traffic is destined for. It's not as flexible as FPM. My question was, since the question mentioned NBAR , are we allowed to use FPM as our matching technique? If yes, great :) Cheers, TacACK ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
Re: [OSL | CCIE_Security] IPexpert Vol 1 , Lab 7A , Task 7.13
Thanks a lot Tyson. Cheers, TacACK ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
Re: [OSL | CCIE_Security] IPexpert Vol 1 , Lab 7A , Task 7.13
Any idea guys? ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
Re: [OSL | CCIE_Security] IPexpert Vol 1 , Lab 7A , Task 7.13
HI Vybhav What is the other method on matching a IP payload string ? Just asking as I have no idea. Thanks and regards Yogesh Gawankar --- On Sun, 9/12/10, Vybhav Ramachandran tac...@tacack.com wrote: From: Vybhav Ramachandran tac...@tacack.com Subject: [OSL | CCIE_Security] IPexpert Vol 1 , Lab 7A , Task 7.13 To: OSL Security ccie_security@onlinestudylist.com Date: Sunday, September 12, 2010, 1:36 AM Hello All, The task 7.14 says that we have to use NBAR to drop traffic which has the string 0x02BACC1E . The solution makes use of FPM. I used an NBAR custom protocol ( which required the use of a L4 port number , which was not given in the task ). So , in the CCIE lab, if the task asks for NBAR , can we use FPM? Cheers, TacACK -Inline Attachment Follows- ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
Re: [OSL | CCIE_Security] IPexpert Vol 1 , Lab 7A , Task 7.13
Ok Thx. In that case I feel we need to use Nbar if the question mentions it but maybe somebody else can shed more light on this. Speaking of nbar does anyone have any tips on engaging the nbar engine without the IOS crashing? Thanks and regards Yogesh Gawankar --- On Mon, 9/13/10, Vybhav Ramachandran tac...@tacack.com wrote: From: Vybhav Ramachandran tac...@tacack.com Subject: Re: [OSL | CCIE_Security] IPexpert Vol 1 , Lab 7A , Task 7.13 To: Yogesh Gawankar yogesh...@yahoo.com, OSL Security ccie_security@onlinestudylist.com Date: Monday, September 13, 2010, 2:23 PM Hello Yogesh, Well FPM is by far the most detailed method to match payload in the traffic , but i think NBAR could also be used to perform some crude payload matching. For example , suppose we want to match traffic destined to port UDP 6060 which has the hex string 98AB at an offset of 6 bytes from the start of the packet, we could define a custom protocol and configure it to match the string , like this: # ip nbar custom NAME OF THE CUSTOM PROTOCOL 6 hex 98AB destination udp 6060. This definitely is not as powerful as FPM in the sense that, for defining a custom NBAR protocol , we need to know the TCP or UDP ports that the traffic is destined for. It's not as flexible as FPM. My question was, since the question mentioned NBAR , are we allowed to use FPM as our matching technique? If yes, great :) Cheers, TacACK ___ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com