For what it's worth, I just labbed this up (I take that opportunity to test
things from this list once in a while to attempt to knock some of the rust
off!), and trying to do this with a route-map didn't appear to work:
R1#show run int fa0/0
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
ip policy route-map FOO
end
R1#
R1#show route-map
route-map FOO, permit, sequence 10
Match clauses:
ip address (access-lists): 101
length 500 1000
Set clauses:
interface Null0
Interface tracking current: NULL
Null0, adj_lh:0,oce:0,status:0
Policy routing matches: 0 packets, 0 bytes
R1#show access-list
Extended IP access list 101
10 permit icmp any any (14 matches)
R1#deb ip policy
Policy routing debugging is on
R1#
After that, pinged with different lengths from my test host, and had no
problem (and no output from the PBR debug):
*VPCS[1]> ping 10.1.1.1 -l 50 -c 2 *
*10.1.1.1 icmp_seq=1 ttl=255 time=32.248 ms*
*10.1.1.1 icmp_seq=2 ttl=255 time=11.277 ms*
*
*
*VPCS[1]> ping 10.1.1.1 -l 600 -c 2*
*10.1.1.1 icmp_seq=1 ttl=255 time=2.813 ms*
*10.1.1.1 icmp_seq=2 ttl=255 time=11.508 ms*
Now, if I ping *through* the box, the route-map kicks in. But to-the-box
traffic gets intercepted as "forus" before PBR takes over.
*VPCS[1]> ping 20.1.1.20 -l 600 -c 1*
**10.1.1.1 icmp_seq=1 ttl=255 time=15.927 ms (ICMP type:3, code:1,
Destination host unreachable)*
Debugs confirm:
*Oct 13 10:01:07.967: IP: s=10.1.1.10 (FastEthernet0/0), d=20.1.1.20, len
628, policy match
*Oct 13 10:01:07.967: IP: route map FOO, item 10, permit
*Oct 13 10:01:07.967: IP: s=10.1.1.10 (FastEthernet0/0), d=20.1.1.20
(Null0), len 628, policy routed
*Oct 13 10:01:07.967: IP: FastEthernet0/0 to Null0 20.1.1.20
When I use a policy-map, either input on the interface or on control-plane
host, then it drops even 'to the box' traffic:
(previous config removed)
R1#show run class
Building configuration...
Current configuration : 98 bytes
!
class-map match-all BLOCK
match packet length min 500 max 1000
match access-group 101
!
end
R1#show run policy
Building configuration...
Current configuration : 51 bytes
!
policy-map BLOCKICMP
class BLOCK
drop
!
end
R1#show run int fa0/0
Building configuration...
Current configuration : 125 bytes
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
duplex half
speed auto
service-policy input BLOCKICMP
end
I then ping to-the-box from my test host:
*VPCS[1]> ping 10.1.1.1 -l 50 -c 2 *
*10.1.1.1 icmp_seq=1 ttl=255 time=20.381 ms*
*10.1.1.1 icmp_seq=2 ttl=255 time=12.669 ms*
*
*
*VPCS[1]> ping 10.1.1.1 -l 600 -c 2 *
*10.1.1.1 icmp_seq=1 timeout*
*10.1.1.1 icmp_seq=2 timeout*
The ICMP packets hit the inbound policy-map and were dropped:
R1#show policy-map int fa0/0 in
FastEthernet0/0
Service-policy input: BLOCKICMP
Class-map: BLOCK (match-all)
2 packets, 1284 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: packet length min 500 max 1000
Match: access-group 101
drop
Class-map: class-default (match-any)
2 packets, 184 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Using a control-plane host service-pol worked just as well, but would
*specifically* block traffic to the box (from all interfaces), and would
not drop through-the-box traffic.
So in the end, also keep in mind the specifics of the question. If the
question mentioned "all" ICMP traffic, I'd probably ask the proctor if that
included traffic to the router itself. OK, actually, I'd have done the
policy-map flavor.. but if I was inclined to try the route-map flavor I'd
ask for clarification. Also look closely at the wording of the question to
give you a hint on the action. If the question simply said "ensure hosts
off Fa0/0 cannot ping hosts elsewhere in the network with ICMP messages
between 500 and 1000 bytes" or whatever, I'd say the PBR is a valid
solution. If the question actually says "Ensure R1 *drops all inbound* ICMP
messages between 500 and 1000 bytes" I'd say the PBR is not a valid
solution since it doesn't "drop" the traffic and it doesn't effect "all"
inbound messages.
Spotting those little "hints" is critical to success on lab day. If you
look carefully enough, they almost always tell you exactly what to do.
Best of luck!
Bob
CCIE #38296
HerdingPackets.net
On Wed, Oct 9, 2013 at 12:44 PM, Ryan Krcelic <[email protected]>wrote:
> I think you are confusing policy maps and route-maps....route-maps don't
> reference classes. In what you provided, replace route-map XXX with
> Policy-map XXX and that will work. PBR references route-maps.
>
> Now if there are no restrictions on the question, you could write a class
> to match the icmp packets and a policy map to drop the class of traffic and
> then apply that to the interface as a service policy in or out depending on
> the question, but if they ask for you to use route-maps or PBR, you would
> need to follow the instructions and the way to drop the traffic is to set
> the interface to null0.
>
> Both methods will work, but there isn't a drop action in a route-map.
> V/r,
>
> Ryan Krcelic
>
>
>
> On Wed, Oct 9, 2013 at 10:46 AM, Joe S <[email protected]> wrote:
>
> > class-map YYY
> > match packet min 400 max 600
> >
> > route-map XXX
> > class YYY
> > drop
> >
> >
> >
> >
> > On Wed, Oct 9, 2013 at 9:43 AM, Ryan Krcelic <[email protected]
> >wrote:
> >
> >> How exactly are your dropping the traffic? route-maps don't have a
> >> "drop" feature, you just set the interface to null0.
> >>
> >> If you are using a route-map to reference an access-list, then remember
> >> that the ACL that is referenced is used only to fullfill the
> requirements
> >> of the route-map, not to permit or deny the traffic.
> >>
> >> An ACL could also be used, but you have to watch out for restrictions on
> >> the questions.
> >> V/r,
> >>
> >> Ryan Krcelic
> >>
> >>
> >>
> >> On Wed, Oct 9, 2013 at 10:10 AM, Joe S <[email protected]> wrote:
> >>
> >>> Alright so I'm running through lab book 2 in prep for my lab in 33
> days.
> >>> Small things are starting to make me wonder if my solutions are wrong
> or
> >>> if
> >>> I'm just not doing it the way that the author did it, so I'm probably
> be
> >>> going to asking for opinions from the folks out in mailing list land.
> >>>
> >>> Question the first: "Drop ICMP packets inbound between sizes X and Y".
> >>>
> >>> Pretty obvious. Route-map check sizes and then does a drop if packet
> size
> >>> is between X and Y. Put it in, seems to work just fine. Then I'm going
> >>> through the DSG and checking my answers and I see that the solution
> >>> doesn't
> >>> use drop it uses "set interface null 0".
> >>>
> >>> Is one solution more right than the other? Or are the both viable and
> I'm
> >>> being overly cautious?
> >>>
> >>>
>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
http://onlinestudylist.com/mailman/listinfo/ccie_rs
