RE: Port 0 Filter (Repost)

From: Church, Chuck (cchurch@wamnetgov.com)
Date: Tue Apr 27 2004 - 16:02:35 GMT-3

• Next message: Yasser Aly: "rmon event log command"
• Previous message: ccie2be: "FRTS in the Lab"
• Maybe in reply to: yuki hisano: "Port 0 Filter (Repost)"
• Next in thread: yuki hisano: "RE: Port 0 Filter (Repost)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

That doesn't look like a 'dump' output. Anyway, it's possible it's the
issue that David Hiers mentioned in the last email; the fact that they
use '0' when they didn't dig down that far into the packet. A 'dump'
debug has a few lines listed per packet.

Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Wam!Net Government Services - Design & Implementation Team
13665 Dulles Technology Dr. Ste 250
Herndon, VA 20171
Office: 703-480-2569
Cell: 703-819-3495
cchurch@wamnetgov.com
PGP key:
http://pgp.mit.edu:11371/pks/lookup?op=index&search=cchurch%40wamnetgov.
com
-----Original Message-----
From: yuki hisano [mailto:yukyhisano@hotmail.com]
Sent: Tuesday, April 27, 2004 2:54 PM
To: Church, Chuck; ccielab@groupstudy.com
Subject: RE: Port 0 Filter (Repost)

Chuck,

Here is the breif output I got after applying your idea.
It does not show the port numbers.

Apr 27 18:48:09: IP: s=192.168.123.2 (Ethernet0/0), d=192.168.1.128
(Ethernet0/0 ), g=192.168.2.34, len 48, forward Apr 27 18:48:09: IP:
s=192.168.123.2 (Ethernet0/0), d=192.168.1.128 (Ethernet0/0 ),
g=192.168.2.34, len 48, forward Apr 27 18:48:09: IP: s=192.168.123.2
(Ethernet0/0), d=192.168.1.128 (Ethernet0/0 ), g=192.168.2.34, len 48,
forward Apr 27 18:48:09: IP: s=192.168.123.2 (Ethernet0/0),
d=192.168.1.128 (Ethernet0/0 ), g=192.168.2.34, len 48, forward
IP: s=192.168.123.

Any other thoughts?

Thanks!

Yuki

>From: "Church, Chuck" <cchurch@wamnetgov.com>
>To: "yuki hisano" <yukyhisano@hotmail.com>,<ccielab@groupstudy.com>
>Subject: RE: Port 0 Filter (Repost)
>Date: Tue, 27 Apr 2004 13:06:53 -0500
>
>What does the exact log message look like? What are the source and
>destination devices involved? Turn off fast switching on the hub
>router. Create an access list that matches bidirectional traffic
>between these two devices 'permit ip host x host y' and 'permit ip host

>y host x'. Then do a 'deb ip packet dump Z' where Z is the number of
>the extended access-list. What does the debug then show you? Anything

>interesting? Careful about the debug, it's processor-intensive. Be
>ready with a 'u all'.
>
>
>Chuck Church
>Lead Design Engineer
>CCIE #8776, MCNE, MCSE
>Wam!Net Government Services - Design & Implementation Team
>13665 Dulles Technology Dr. Ste 250
>Herndon, VA 20171
>Office: 703-480-2569
>Cell: 703-819-3495
>cchurch@wamnetgov.com
>PGP key:
>http://pgp.mit.edu:11371/pks/lookup?op=index&search=cchurch%40wamnetgov
.
>com
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of

>yuki hisano
>Sent: Tuesday, April 27, 2004 12:34 PM
>To: ccielab@groupstudy.com
>Subject: RE: Port 0 Filter (Repost)
>
>Chuck, Jonathan, and else,
>
>I am sorry that my explanation was not clear enough. I thought what I
>was asking was something well known to most of the guys on the list.
>
>Here is the better explanation;
>
>There is a private Hub-Spoke frame-relay network associated with one
>hub and
>7 spoke locations.
>There are two Spoke sites generating a lot of traffic to each other.
>These two sites send traffic to other sites as well although the amount

>is less in comparison.
>I hooked some access-list just to see what type of port number it is
>using.
>The result is like this:
>
>source: 192.168.X.X (0) destination 192.168.X.X (0) (they are either
>TCP or
>UDP)
>
>The number in parethesis is my question. Usually I find 445, 69, 25, 80

>etc.
>But I went ahead and deny port 0 with access-lists and it was
>unsuccessful.
>
>I have tried:
>
>access-list 113 deny tcp any any eq 0
>access-list 113 deny udp any any eq 0
>access-list 113 permit ip any any
>
>and,
>
>access-list 113 deny tcp any eq 0 any
>access-list 113 deny tcp any any eq 0
>access-list 113 deny udp any eq 0 any
>access-list 113 deny udp any any eq 0
>access-list 113 permit ip any any
>
>and,
>
>access-list 113 permit tcp any any gt 0 lt 65535 access-list 113 permit

>tcp any gt 0 lt 65535 any access-list 113 permit udp any any gt 0 lt
>65535 access-list 113 permit udp any gt 0 lt 65535 any access-list 113
>deny tcp any any access-list 113 deny udp any any access-list 113
>permit ip any any
>
>all of the above did not work.
>I am kind of stuck and doesnt seem to go anywhere with my knowledge.
>
>Does this explain good enough?
>
>Thanks for your help!
>
>Yuki
>
>
>
>
> >From: "Jonathan Hays" <nomad@gfoyle.org>
> >Reply-To: "Jonathan Hays" <nomad@gfoyle.org>
> >To: <ccielab@groupstudy.com>
> >Subject: RE: Port 0 Filter (Repost)
> >Date: Tue, 27 Apr 2004 09:44:20 -0400
> >
> >you wrote:
> > >-----Original Message-----
> > >From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> > >Behalf Of yuki hisano
> > >Sent: Tuesday, April 27, 2004 8:36 AM
> > >To: ccielab@groupstudy.com
> > >Subject: Port 0 Filter (Repost)
> > >
> > >
> > >Hi,
> > >
> > >I am posting this again since I had only one response and did not
> > >solve the prob.
> > >
> > >Is there any ways to filter port "0"ed traffic ??
> > >
> > >
> > >Thanks.
> > >
> > >Yuki
> >= = =
> >
> >In my opinion you did not provide enough information for a
> >knowledgeable network engineer to even make a wild guess at your
>problem.
> >
> >1. Describe the relevant network topology 2. Provide a sniffer or
> >debug
>
> >trace of the problem packets 3. Post sanitized configurations 4. Or
> >at least describe the problem in more detail.
> >
> >While you're at it, you might read this:
> >
> >http://www.catb.org/~esr/faqs/smart-questions.html
> >
> >-Jonathan
> >
> >_____________________________________________________________________
> >__ Please help support GroupStudy by purchasing your study materials
> >from:
> >http://shop.groupstudy.com
> >
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
>
>_________________________________________________________________
>MSN 8 with e-mail virus protection service: 2 months FREE*
>http://join.msn.com/?page=features/virus
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: Yasser Aly: "rmon event log command"
• Previous message: ccie2be: "FRTS in the Lab"
• Maybe in reply to: yuki hisano: "Port 0 Filter (Repost)"
• Next in thread: yuki hisano: "RE: Port 0 Filter (Repost)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:56 GMT-3