RE: Flexible Packet Matching

Sadiq,

If you only applied this in one direction on an interface then accounting
for both source eq 23 and dest eq 23 actually would be a good thing.

As I haven't tested the first example I am not positive but I don't know if
the first one will work. It may possibly.

The second example is how I would typically do it.

Regards,
 
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Sadiq Yakasai
Sent: Thursday, March 18, 2010 2:13 PM
To: Cisco certification; Cisco certification
Subject: Re: Flexible Packet Matching

Please ignore the line " match field tcp source-port eq 23" below when
analyzing the config!

On Thu, Mar 18, 2010 at 5:24 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com> wrote:

> All,
>
> So would there be any difference between the 2 solutions below. I dont
have
> the right image to configure and test, so there might be syntax issues
here.
> I am mostly curious about the approach.
>
> Thanks again, as usual.
>
> Sadiq
>
> Solution 1:
> class-map type stack match-all TELNET
> match field ip protocol eq 0x6 next tcp
> match field tcp dest-port eq 23
>
> policy-map type access-control INTERFACE_POLICY
> class TELNET
> drop
>
> Solution 2:
> class-map type access-control match-any TELNET
> match field tcp dest-port eq 23
> match field tcp source-port eq 23
>
> class-map type stack match-all TCP
> match field ip protocol eq 0x6 next tcp
>
> policy-map type access-control BLOCK_TELNET
> class TELNET
> drop
>
> policy-map type access-control INTERFACE_POLICY
> class TCP
> service-policy BLOCK_TELNET
>
> --
> CCIE #19963
>

-- 
CCIE #19963
Blogs and organic groups at http://www.ccie.net