RE: Identify ARP

From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Thu May 05 2005 - 13:06:59 GMT-3

I got it to match outbound but not inbound. Do you have cef enabled?

class-map match-all ARP
  match protocol arp
!
 policy-map ARP
  class ARP

Rack1R4#show ip route static
S* 0.0.0.0/0 is directly connected, Ethernet0/1
Rack1R4#show ip route 10.20.30.40
% Network not in table
Rack1R4#debug arp
ARP packet debugging is on
Rack1R4#ping 10.20.30.40 repeat 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.20.30.40, timeout is 2 seconds:

IP ARP: creating incomplete entry for IP address: 10.20.30.40 interface
Ethernet0/1
IP ARP: sent req src 155.1.146.4 0050.8004.8e01,
                 dst 10.20.30.40 0000.0000.0000 Ethernet0/1.
Success rate is 0 percent (0/1)
Rack1R4#show policy-map int e0/1
 Ethernet0/1

  Service-policy input: ARP

    Class-map: ARP (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps
      Match: protocol arp

    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

  Service-policy output: ARP

    Class-map: ARP (match-all)
      1 packets, 60 bytes <-----------------
      5 minute offered rate 0 bps
      Match: protocol arp

    Class-map: class-default (match-any)
      6 packets, 550 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> gladston@br.ibm.com
> Sent: Thursday, May 05, 2005 10:05 AM
> To: Brian McGahan
> Cc: ccielab@groupstudy.com; swm@emanon.com
> Subject: RE: Identify ARP
>
> It seems there is no way to match that on a router.
> Match protocol ARP should work, don't you think?
>
> These do not work:
> match access-group 200
> match protocol arp
>
> Access-list 200 selects 0x0806
>
> (well, I did not have the opportunity to test it on another platform,
like
> 7500, 3600, 2600)
>
> Just to test other facilities, "match source-address mac h.h.h" works,
> even it being an IP packet. I am wondering if 'match access-group 200'
> matches just non IP traffic.
>
>
>
> Cordially,
> ------------------------------------------------------------------
> Gladston
>
>
>
>
> "Brian McGahan" <bmcgahan@internetworkexpert.com>
> 05/05/2005 11:55
>
> To
> Alaerte Gladston Vidali/Brazil/IBM@IBMBR, <swm@emanon.com>
> cc
> <ccielab@groupstudy.com>
> Subject
> RE: Identify ARP
>
>
>
>
>
>
> Not on the router, I mean on a switch in the transit path (like the
3550).
>
> Brian McGahan, CCIE #8593
> bmcgahan@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987 x 705
> Outside US: 775-826-4344 x 705
> 24/7 Support: http://forum.internetworkexpert.com
> Live Chat: http://www.internetworkexpert.com/chat/
>
> ________________________________________
> From: gladston@br.ibm.com [mailto:gladston@br.ibm.com]
> Sent: Thursday, May 05, 2005 7:39 AM
> To: Brian McGahan; swm@emanon.com
> Cc: ccielab@groupstudy.com
> Subject: RE: Identify ARP
>
>
> It does not work either. At least not on 2500 with 12.2T:
>
> class-map match-all Test
> match access-group 200
> !
> policy-map Test
> class Test
> police cir 1000000
> conform-action set-dscp-transmit af11
> exceed-action drop
> violate-action drop
> !
> interface Ethernet0
> ip address 172.16.36.100 255.255.255.0 secondary
> ip address 172.16.36.200 255.255.255.0 secondary
> ip address 172.16.36.33 255.255.255.0 secondary
> ip address 172.16.36.3 255.255.255.0
> ip verify unicast source reachable-via rx 130
> ip accounting access-violations
> service-policy input Test
> ip ospf authentication message-digest
> ip ospf message-digest-key 1 md5 cisco
> !
> access-list 200 permit 0x0806 0x0000
>
> r3#deb arp
> ARP packet debugging is on
>
> r3(config)#int e0
> r3(config-if)#ip address 172.16.36.133 255.255.255.0 se
>
> *Apr 15 11:32:42.285: IP ARP: rcvd req src 172.16.36.6 0010.7b81.0b76,
dst
> 172.16.36
> .133 Ethernet0
> *Apr 15 11:32:42.289: IP ARP: sent rep src 172.16.36.133
0010.7b80.dc6c,
> dst 172.16.36.6 0010.7b81.0b76 Ethernet0
>
> r3#sh policy-map interface e0
> Ethernet0
>
> Service-policy input: Test
>
> Class-map: Test (match-all)
> 0 packets, 0 bytes
> 5 minute offered rate 0 bps, drop rate 0 bps
> Match: access-group 200
> police:
> cir 1000000 bps, bc 31250 bytes, be 31250 bytes
> conformed 0 packets, 0 bytes; actions:
> set-dscp-transmit af11
> exceeded 0 packets, 0 bytes; actions:
> drop
> violated 0 packets, 0 bytes; actions:
> drop
> conformed 0 bps, exceed 0 bps, violate 0 bps
>
> Class-map: class-default (match-any)
> 9258 packets, 849624 bytes
> 5 minute offered rate 0 bps, drop rate 0 bps
> Match: any
> r3#
>
> It is matching default class. Any ideas?
>
>
> Cordially,
> ------------------------------------------------------------------
> Gladston
>
>
> "Brian McGahan" <bmcgahan@internetworkexpert.com>
> 04/05/2005 12:10
> To
> Alaerte Gladston Vidali/Brazil/IBM@IBMBR, <ccielab@groupstudy.com>
> cc
>
> Subject
> RE: Identify ARP
>
>
>
>
>
>
>
> Match it in the layer 2 transit path with EtherType 0x806.
>
>
> HTH,
>
> Brian McGahan, CCIE #8593
> bmcgahan@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987 x 705
> Outside US: 775-826-4344 x 705
> 24/7 Support: http://forum.internetworkexpert.com
> Live Chat: http://www.internetworkexpert.com/chat/
>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > gladston@br.ibm.com
> > Sent: Wednesday, May 04, 2005 8:14 AM
> > To: ccielab@groupstudy.com
> > Subject: Identify ARP
> >
> > How would you identify ARP packets besides using "match protocol
arp"?
> >
> > I am using match protocol arp on 2550 with 12.2T but it does not
match
> arp
> > packets:
> >
> > This confims the router received arp request:
> >
> >
> > *Apr 14 12:02:59.067: IP ARP: rcvd req src 172.16.36.6
0010.7b81.0b76,
> dst
> > 172.16.36.200 Ether
> > net0
> > *Apr 14 12:02:59.075: IP ARP: sent rep src 172.16.36.200
> 0010.7b80.dc6c,
> > dst 172.16.36.6 0010.7b81.0b76 Ethernet0
> >
> > This shows it is not counting on match protocol arp:
> >
> > r3#sh policy-map interface e0
> > Ethernet0
> >
> > Service-policy input: Test
> >
> > Class-map: Test (match-all)
> > 0 packets, 0 bytes
> > 5 minute offered rate 0 bps, drop rate 0 bps
> > Match: protocol arp
> > police:
> > cir 1000000 bps, bc 31250 bytes, be 31250 bytes
> > conformed 0 packets, 0 bytes; actions:
> > set-dscp-transmit af11
> > exceeded 0 packets, 0 bytes; actions:
> > drop
> > violated 0 packets, 0 bytes; actions:
> > drop
> > conformed 0 bps, exceed 0 bps, violate 0 bps
> >
> > Class-map: class-default (match-any)
> > 72 packets, 6928 bytes
> > 5 minute offered rate 0 bps, drop rate 0 bps
> > Match: any
> > r3#
> >
> > This is the configuration:
> >
> >
> > class-map match-all Test
> > match protocol arp
> > !
> > policy-map Test
> > class Test
> > police cir 1000000
> > conform-action set-dscp-transmit af11
> > exceed-action drop
> > violate-action drop
> > !
> > interface Ethernet0
> > ip address 172.16.36.100 255.255.255.0 secondary
> > ip address 172.16.36.200 255.255.255.0 secondary
> > ip address 172.16.36.3 255.255.255.0
> > ip verify unicast source reachable-via rx 130
> > service-policy input Test
> >
> >
>

This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:11:56 GMT-3