Re: Router trick - how to allow only one single packet

Applying an ACL to block the next packet may be faster than shutting the
interface. I've never tested the reaction speed of EEM in anything less
than a few seconds. Maybe a policer plus the EEM would be enough time to
get the policy through?

-nick

On Fri, Nov 5, 2010 at 2:09 PM, Rich Collins <nilsi2002_at_gmail.com> wrote:

> Hi,
>
> Yes it is an isolated environment and I will not affect other testing.
>
> I tried your suggestion with an ACL with the log statement. The EEM
> looks for the pattern in the syslog and then shuts down the interface.
> The problem is that this is not fast enough - about 3-4 seconds
> elapses before the interface is shut down "enable, config term,
> interface, shut". I'm not sure if some other EEM action would be much
> faster.
>
> This also opens up an old question about logging on ACL's. Only the
> first packet is logged and not the following ones if they have the
> same characteristics - at least for the next five minutes. How can
> one disable this default or how can one reinitialize this buffer?
> Clear access-list counter does not do the job.
>
> Thnks
> Rich
>
>
>
> On Thu, Nov 4, 2010 at 8:44 PM, Nick Matthews <matthn_at_gmail.com> wrote:
> > If it was an isolated environment, and maybe even not then, you could do
> > something like this:
> >
> > Create a trigger:
> > Turn on 'debug ip packet detail'
> > or
> > Use an access list with a 'log' statement
> >
> > Write an EEM script to trigger when something in the log matches either
> the
> > packet details or the log statement
> > Have the EEM script write an ACL to block the rest of the packets
> >
> > At that point I would probably manually disable to ACL to re-test. You
> > could get fancy and write a watchdog EEM to do this as well.
> >
> > -nick
> >
> > On Thu, Nov 4, 2010 at 3:27 PM, Jay McMickle <jay.mcmickle_at_yahoo.com>
> wrote:
> >>
> >> What about VACL's or MACL's? You could block this at the layer 2 frame.
> >>
> >>
> >> Regards,
> >> Jay McMickle- CCNP, CCSP, CCDP, MCSE
> >> http://mycciepursuit.wordpress.com/
> >>
> >>
> >>
> >>
> >>
> >> ________________________________
> >> From: Rich Collins <nilsi2002_at_gmail.com>
> >> To: Cisco certification
> >> <ccielab_at_groupstudy.com>
> >> Sent: Thu, November 4, 2010 9:48:37 AM
> >> Subject:
> >> Router trick - how to allow only one single packet
> >>
> >> Hi all,
> >>
> >> I am trying to
> >> test a client application in the lab and need a method
> >> to block subsequent
> >> requests to a server. The retries (UDP packets
> >> with same length, port number)
> >> etc. from this client should not reach
> >> the server. The retries occur less
> >> than a second later and continue.
> >>
> >> Limiting by CAR would still pass some of
> >> the requests a few seconds
> >> later. I can't record and spoof this first packet
> >> because of the
> >> encoding in the packet.
> >>
> >> I was also thinking of load balancing
> >> by packet and creating numerous
> >> sinkholes at dummy destinations.
> >>
> >> Any ideas or
> >> EEM?
> >>
> >> Thanks
> >> Rich

Blogs and organic groups at http://www.ccie.net
Received on Sat Nov 06 2010 - 12:04:33 ART