Re: Router trick - how to allow only one single packet

Hi,

Yes it is an isolated environment and I will not affect other testing.

I tried your suggestion with an ACL with the log statement. The EEM
looks for the pattern in the syslog and then shuts down the interface.
 The problem is that this is not fast enough - about 3-4 seconds
elapses before the interface is shut down "enable, config term,
interface, shut". I'm not sure if some other EEM action would be much
faster.

This also opens up an old question about logging on ACL's. Only the
first packet is logged and not the following ones if they have the
same characteristics - at least for the next five minutes. How can
one disable this default or how can one reinitialize this buffer?
Clear access-list counter does not do the job.

Thnks
Rich

On Thu, Nov 4, 2010 at 8:44 PM, Nick Matthews <matthn_at_gmail.com> wrote:
> If it was an isolated environment, and maybe even not then, you could do
> something like this:
>
> Create a trigger:
> Turn on 'debug ip packet detail'
> or
> Use an access list with a 'log' statement
>
> Write an EEM script to trigger when something in the log matches either the
> packet details or the log statement
> Have the EEM script write an ACL to block the rest of the packets
>
> At that point I would probably manually disable to ACL to re-test. You
> could get fancy and write a watchdog EEM to do this as well.
>
> -nick
>
> On Thu, Nov 4, 2010 at 3:27 PM, Jay McMickle <jay.mcmickle_at_yahoo.com> wrote:
>>
>> What about VACL's or MACL's? You could block this at the layer 2 frame.
>>
>>
>> Regards,
>> Jay McMickle- CCNP, CCSP, CCDP, MCSE
>> http://mycciepursuit.wordpress.com/
>>
>>
>>
>>
>>
>> ________________________________
>> From: Rich Collins <nilsi2002_at_gmail.com>
>> To: Cisco certification
>> <ccielab_at_groupstudy.com>
>> Sent: Thu, November 4, 2010 9:48:37 AM
>> Subject:
>> Router trick - how to allow only one single packet
>>
>> Hi all,
>>
>> I am trying to
>> test a client application in the lab and need a method
>> to block subsequent
>> requests to a server. The retries (UDP packets
>> with same length, port number)
>> etc. from this client should not reach
>> the server. The retries occur less
>> than a second later and continue.
>>
>> Limiting by CAR would still pass some of
>> the requests a few seconds
>> later. I can't record and spoof this first packet
>> because of the
>> encoding in the packet.
>>
>> I was also thinking of load balancing
>> by packet and creating numerous
>> sinkholes at dummy destinations.
>>
>> Any ideas or
>> EEM?
>>
>> Thanks
>> Rich

Blogs and organic groups at http://www.ccie.net
Received on Fri Nov 05 2010 - 14:09:24 ART