Re: Flexible Packet Matching from Sadiq Yakasai on 2010-03-18 (Ccielab archives 03/2010)

From: Sadiq Yakasai <sadiqtanko_at_gmail.com>
Date: Thu, 18 Mar 2010 23:31:48 +0000

Right, thanks Tyson.

I guess it would make more sense to use the second approach and apply the
service-policy in one direction on the interface (yet still drop the telnet
traffic on both directions).

Otherwise to achieve the same results with the first approach, I could
configure 2 classes, each matching the traffic in a direction, and applying
the policy.

A third un-intuitive method would be 2 service-policies, each having a class
matching in each direction I guess.

I will try and give this a whirl in the morning, see how it goes then.

Sadiq

On Thu, Mar 18, 2010 at 10:16 PM, Tyson Scott <tscott_at_ipexpert.com> wrote:

> Sadiq,
>
> If you only applied this in one direction on an interface then accounting
> for both source eq 23 and dest eq 23 actually would be a good thing.
>
> As I haven't tested the first example I am not positive but I don't know if
> the first one will work. It may possibly.
>
> The second example is how I would typically do it.
>
> Regards,
>
> Tyson Scott - CCIE #13513 R&S, Security, and SP
> Technical Instructor - IPexpert, Inc.
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Sadiq Yakasai
> Sent: Thursday, March 18, 2010 2:13 PM
> To: Cisco certification; Cisco certification
> Subject: Re: Flexible Packet Matching
>
> Please ignore the line " match field tcp source-port eq 23" below when
> analyzing the config!
>
> On Thu, Mar 18, 2010 at 5:24 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com>
> wrote:
>
> > All,
> >
> > So would there be any difference between the 2 solutions below. I dont
> have
> > the right image to configure and test, so there might be syntax issues
> here.
> > I am mostly curious about the approach.
> >
> > Thanks again, as usual.
> >
> > Sadiq
> >
> > Solution 1:
> > class-map type stack match-all TELNET
> > match field ip protocol eq 0x6 next tcp
> > match field tcp dest-port eq 23
> >
> > policy-map type access-control INTERFACE_POLICY
> > class TELNET
> > drop
> >
> > Solution 2:
> > class-map type access-control match-any TELNET
> > match field tcp dest-port eq 23
> > match field tcp source-port eq 23
> >
> > class-map type stack match-all TCP
> > match field ip protocol eq 0x6 next tcp
> >
> > policy-map type access-control BLOCK_TELNET
> > class TELNET
> > drop
> >
> > policy-map type access-control INTERFACE_POLICY
> > class TCP
> > service-policy BLOCK_TELNET
> >
> > --
> > CCIE #19963
> >
>
>
>
> --
> CCIE #19963
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>

-- 
CCIE #19963
Blogs and organic groups at http://www.ccie.net

Received on Thu Mar 18 2010 - 23:31:48 ART

This archive was generated by hypermail 2.2.0 : Thu Apr 01 2010 - 07:26:35 ART