From: ccie2be (ccie2be@nyc.rr.com)
Date: Thu Dec 16 2004 - 08:35:09 GMT-3
Chris,
There's another GOTCHA when it comes to MQC that is easy to overlook - I
know I did on my last attempt.
MQC doesn't work for packets generated by the router itself or for packets
addressed to the router itself.
For example, suppose you configure an MQC to affect ping packets going out.
Then you ping from that router.
If you check the destination of the ping, you'll see that whatever you set
for the ping packets didn't take.
I think this caveat still remains.
Tim
----- Original Message -----
From: "Lord, Chris" <chris.lord@lorien.co.uk>
To: "ccie2be" <ccie2be@nyc.rr.com>
Sent: Thursday, December 16, 2004 5:22 AM
Subject: RE: NBAR for Security Filtering
Hi Tim,
This makes sense, thanks. Did you see Chuck Church's experience of CPU
utilisation once the packets were dropped on the inbound interface? -
interesting!
Sorry to hear about your last attempt. I got zero in QoS on my third
attempt - I don't know why to this day! I got through on my fourth - I
think there's an exam in there that suits each individual it's just a
case of waiting for it to come your way.
Best regards,
Chris
-----Original Message-----
From: ccie2be [mailto:ccie2be@nyc.rr.com]
Sent: 15 December 2004 19:03
To: Lord, Chris
Subject: Re: NBAR for Security Filtering
Hey Chris,
I was just reading that book this whole past week and it was part of the
inspiration for the NBAR quizzes I had posted over the past few days.
I think the issue is that Deal didn't specify which version of IOS he
was
commenting on and so, I believe some of the restrictions he mentions for
NBAR are no longer true.
Unfortunately, I don't have the right stuff to test the different
combo's.
Deal gives the impression that the only policy map commands that are
allowed
with NBAR are set ip prec and set ip dscp.
That, flat out, is not true. Police and shape can definately also be
used.
Also, I think the direction of the service-policy also is a factor for
some
of the policy map commands. (Of course, I realize that some policy map
commands don't make any sense if the direction is IN, for example,
shape.)
Take a look at the NBAR pop quizzes I posted (I think there are about 3
of
them) to get an idea of some the issues at play here.
I know this is worth knowing cold because I lost lots of points on the
QoS
portion of my last lab attempt.
HTH, Tim
----- Original Message -----
From: "Lord, Chris" <chris.lord@lorien.co.uk>
To: "Group Study" <ccielab@groupstudy.com>
Sent: Wednesday, December 15, 2004 1:48 PM
Subject: NBAR for Security Filtering
> I was wondering whether anybody has read Deal's "Cisco Router Firewall
> Security" book - section on using NBAR to filter attacks.
>
>
>
> The method prescribed is to craft a policy map on the inbound
interface
> using NBAR to detect dangerous traffic (e.g. Code Red urls), mark
> matching packets with a dscp value and then use an acl on the outbound
> interface to detect the dscp value and deny the traffic.
>
>
>
> Why not just drop the packets in the first place using the inbound
> policy-map instead of letting it traverse the router first??
>
>
>
> Any views out there on this??
>
>
>
> TIA
>
>
>
> Chris.
>
>
>
> **********************************************************************
> The information contained in this email is confidential and is
intended
for
> the recipient only. If you have received it in error, please notify us
> immediately by reply email and then delete it from your system. Please
do
not
> copy it or use it for any purposes, or disclose its contents to any
other
> person or store or copy this information in any medium. The views
contained in
> this email are those of the author and not necessarily those of Lorien
plc.
>
> Thank you for your co-operation.
> **********************************************************************
>
>
This archive was generated by hypermail 2.1.4 : Mon Jan 03 2005 - 10:31:27 GMT-3