Re: Router trick - how to allow only one single packet from garry baker on 2010-11-05 (Ccielab archives 11/2010)

From: garry baker <baker.garry_at_gmail.com>
Date: Fri, 5 Nov 2010 13:48:12 -0500

for the logging piece try this for logging tested on console logging, might
be what you are looking for, it counts all my ping packets

'ip access-list log-update threshold 1'

R2#ping 2.2.2.2 r 11

Type escape sequence to abort.
Sending 11, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!!!!!!!
Success rate is 100 percent (11/11), round-trip min/avg/max = 8/68/320 ms

R1(config)#
*Nov 5 13:44:34.311: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 10.1.1.2 ->
2.2.2.2, 1 packet
*Nov 5 13:44:34.571: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 10.1.1.2 ->
2.2.2.2, 1 packet
*Nov 5 13:44:34.611: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 10.1.1.2 ->
2.2.2.2, 1 packet
*Nov 5 13:44:34.687: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 10.1.1.2 ->
2.2.2.2, 1 packet
*Nov 5 13:44:34.711: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 10.1.1.2 ->
2.2.2.2, 1 packet
*Nov 5 13:44:34.719: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 10.1.1.2 ->
2.2.2.2, 1 packet
*Nov 5 13:44:34.731: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 10.1.1.2 ->
2.2.2.2, 1 packet
*Nov 5 13:44:34.735: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 10.1.1.2 ->
2.2.2.2, 1 packet
*Nov 5 13:44:34.755: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 10.1.1.2 ->
2.2.2.2, 1 packet
*Nov 5 13:44:34.791: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 10.1.1.2 ->
2.2.2.2, 1 packet
*Nov 5 13:44:34.851: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 10.1.1.2 ->
2.2.2.2, 1 packet

--
Garry L. Baker
"There is no 'patch' for stupidity." - www.sqlsecurity.com
On Fri, Nov 5, 2010 at 1:09 PM, Rich Collins <nilsi2002_at_gmail.com> wrote:
> Hi,
>
> Yes it is an isolated environment and I will not affect other testing.
>
> I tried your suggestion with an ACL with the log statement. The EEM
> looks for the pattern in the syslog and then shuts down the interface.
>  The problem is that this is not fast enough - about 3-4 seconds
> elapses before the interface is shut down "enable, config term,
> interface, shut".  I'm not sure if some other EEM action would be much
> faster.
>
> This also opens up an old question about logging on ACL's.  Only the
> first packet is logged and not the following ones if they have the
> same characteristics - at least for the next five minutes.  How can
> one disable this default or how can one reinitialize this buffer?
> Clear access-list counter does not do the job.
>
> Thnks
> Rich
>
>
>
> On Thu, Nov 4, 2010 at 8:44 PM, Nick Matthews <matthn_at_gmail.com> wrote:
> > If it was an isolated environment, and maybe even not then, you could do
> > something like this:
> >
> > Create a trigger:
> > Turn on 'debug ip packet detail'
> > or
> > Use an access list with a 'log' statement
> >
> > Write an EEM script to trigger when something in the log matches either
> the
> > packet details or the log statement
> > Have the EEM script write an ACL to block the rest of the packets
> >
> > At that point I would probably manually disable to ACL to re-test.  You
> > could get fancy and write a watchdog EEM to do this as well.
> >
> > -nick
> >
> > On Thu, Nov 4, 2010 at 3:27 PM, Jay McMickle <jay.mcmickle_at_yahoo.com>
> wrote:
> >>
> >> What about VACL's or MACL's?  You could block this at the layer 2 frame.
> >>
> >>
> >> Regards,
> >> Jay McMickle- CCNP, CCSP, CCDP, MCSE
> >> http://mycciepursuit.wordpress.com/
> >>
> >>
> >>
> >>
> >>
> >> ________________________________
> >> From: Rich Collins <nilsi2002_at_gmail.com>
> >> To: Cisco certification
> >> <ccielab_at_groupstudy.com>
> >> Sent: Thu, November 4, 2010 9:48:37 AM
> >> Subject:
> >> Router trick - how to allow only one single packet
> >>
> >> Hi all,
> >>
> >> I am trying to
> >> test a client application in the lab and need a method
> >> to block subsequent
> >> requests to a server. The retries (UDP packets
> >> with same length, port number)
> >> etc. from this client should not reach
> >> the server.  The retries occur less
> >> than a second later and continue.
> >>
> >> Limiting by CAR would still pass some of
> >> the requests a few seconds
> >> later.  I can't record and spoof this first packet
> >> because of the
> >> encoding in the packet.
> >>
> >> I was also thinking of load balancing
> >> by packet and creating numerous
> >> sinkholes at dummy destinations.
> >>
> >> Any ideas or
> >> EEM?
> >>
> >> Thanks
> >> Rich
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net

Received on Fri Nov 05 2010 - 13:48:12 ART

This archive was generated by hypermail 2.2.0 : Sun Dec 05 2010 - 22:14:55 ART