Re: Cisco filter question
Geo, Look at your set interface Null0 command the rest is correct you want to set the next hop to be Null0. How to do this is left as an exercise for the reader. Scott C. McGrath On Fri, 22 Aug 2003, Geo. wrote: Perhaps one of you router experts can answer this question. When using the cisco specified filter access-list 199 permit icmp any any echo access-list 199 permit icmp any any echo-reply route-map nachi-worm permit 10 ! --- match ICMP echo requests and replies (type 0 8) match ip address 199 ! --- match 92 bytes sized packets match length 92 92 ! --- drop the packet set interface Null0 interface incoming-interface ! --- it is recommended to disable unreachables no ip unreachables ! --- if not using CEF, enabling ip route-cache flow is recommended ip route-cache policy ! --- apply Policy Based Routing to the interface ip policy route-map nachi-worm why would it not stop this packet 15 1203.125000 0003E3956600 AMERIC6625D4 ICMP Echo: From 216.144.20.69 To 216.144.00.27 216.144.20.69 216.144.0.27 IP FRAME: Base frame properties FRAME: Time of capture = 8/22/2003 11:54:16.859 FRAME: Time delta from previous physical frame: 0 microseconds FRAME: Frame number: 15 FRAME: Total frame length: 106 bytes FRAME: Capture frame length: 106 bytes FRAME: Frame data: Number of data bytes remaining = 106 (0x006A) ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol ETHERNET: Destination address : 00C0B76625D4 ETHERNET: ...0 = Individual address ETHERNET: ..0. = Universally administered address ETHERNET: Source address : 0003E3956600 ETHERNET: ...0 = No routing information present ETHERNET: ..0. = Universally administered address ETHERNET: Frame Length : 106 (0x006A) ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol) ETHERNET: Ethernet Data: Number of data bytes remaining = 92 (0x005C) IP: ID = 0x848; Proto = ICMP; Len: 92 IP: Version = 4 (0x4) IP: Header Length = 20 (0x14) IP: Precedence = Routine IP: Type of Service = Normal Service IP: Total Length = 92 (0x5C) IP: Identification = 2120 (0x848) IP: Flags Summary = 0 (0x0) IP: ...0 = Last fragment in datagram IP: ..0. = May fragment datagram if necessary IP: Fragment Offset = 0 (0x0) bytes IP: Time to Live = 124 (0x7C) IP: Protocol = ICMP - Internet Control Message IP: Checksum = 0x70D8 IP: Source Address = 216.144.20.69 IP: Destination Address = 216.144.0.27 IP: Data: Number of data bytes remaining = 72 (0x0048) ICMP: Echo: From 216.144.20.69 To 216.144.00.27 ICMP: Packet Type = Echo ICMP: Echo Code = 0 (0x0) ICMP: Checksum = 0x82AA ICMP: Identifier = 512 (0x200) ICMP: Sequence Number = 7680 (0x1E00) ICMP: Data: Number of data bytes remaining = 64 (0x0040) 0: 00 C0 B7 66 25 D4 00 03 E3 95 66 00 08 00 45 00 .À·f%Ô..ã•f...E. 00010: 00 5C 08 48 00 00 7C 01 70 D8 D8 90 14 45 D8 90 .\.H..|.pØØ.EØ 00020: 00 1B 08 00 82 AA 02 00 1E 00 AA AA AA AA AA AA ‚ªªª 00030: AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA 00040: AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA 00050: AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA 00060: AA AA AA AA AA AA AA AA AA AA ªª
Re: Cisco filter question
Scott McGrath wrote: Geo, Look at your set interface Null0 command the rest is correct you want to set the next hop to be Null0. How to do this is left as an exercise for the reader. Interface Null0 works fine. Here's a quick check. Inbound (from peers) policy matches route-map nachi-worm, permit, sequence 10 Match clauses: ip address (access-lists): 199 length 92 92 Set clauses: interface Null0 Policy routing matches: 10921 packets, 1048416 bytes Outbound (to internal network) accesslist matches Extended IP access list 181 deny tcp any any eq 135 (1994 matches) permit icmp any any echo (757 matches) permit icmp any any echo-reply (381 matches) permit ip any any (381370 matches) I cleared 181 first, then cleared route-map counters. I then checked route-map counters first before checking access-list counters. This means the access-list has more time to accrue maches yet it is considerably smaller. The checks were a matter of seconds. I'd say the policy is working. The echo/echo-reply could easily be everyday pings which are up abit due to various networks having performance issues. IOS Versioning can sometimes have issues. There's also the question of if the packet came in the inbound interface that had the policy applied. -Jack
Re: Cisco filter question
point a route to null0 and set the next hop to be down that route On Fri, 22 Aug 2003, Jack Bates wrote: Scott McGrath wrote: Geo, Look at your set interface Null0 command the rest is correct you want to set the next hop to be Null0. How to do this is left as an exercise for the reader. Interface Null0 works fine. Here's a quick check. Inbound (from peers) policy matches route-map nachi-worm, permit, sequence 10 Match clauses: ip address (access-lists): 199 length 92 92 Set clauses: interface Null0 Policy routing matches: 10921 packets, 1048416 bytes Outbound (to internal network) accesslist matches Extended IP access list 181 deny tcp any any eq 135 (1994 matches) permit icmp any any echo (757 matches) permit icmp any any echo-reply (381 matches) permit ip any any (381370 matches) I cleared 181 first, then cleared route-map counters. I then checked route-map counters first before checking access-list counters. This means the access-list has more time to accrue maches yet it is considerably smaller. The checks were a matter of seconds. I'd say the policy is working. The echo/echo-reply could easily be everyday pings which are up abit due to various networks having performance issues. IOS Versioning can sometimes have issues. There's also the question of if the packet came in the inbound interface that had the policy applied. -Jack
RE: Cisco filter question
Instead of: set interface Null0 Use: set ip next-hop 10.255.255.254 _and_ ip route 10.255.255.254 255.255.255.255 Null0 name BLACKHOLE Michel. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Geo. Sent: Friday, August 22, 2003 9:17 AM To: [EMAIL PROTECTED] Subject: Cisco filter question Perhaps one of you router experts can answer this question. When using the cisco specified filter access-list 199 permit icmp any any echo access-list 199 permit icmp any any echo-reply route-map nachi-worm permit 10 ! --- match ICMP echo requests and replies (type 0 8) match ip address 199 ! --- match 92 bytes sized packets match length 92 92 ! --- drop the packet set interface Null0 interface incoming-interface ! --- it is recommended to disable unreachables no ip unreachables ! --- if not using CEF, enabling ip route-cache flow is recommended ip route-cache policy ! --- apply Policy Based Routing to the interface ip policy route-map nachi-worm why would it not stop this packet 15 1203.125000 0003E3956600 AMERIC6625D4 ICMP Echo: From 216.144.20.69 To 216.144.00.27 216.144.20.69 216.144.0.27 IP FRAME: Base frame properties FRAME: Time of capture = 8/22/2003 11:54:16.859 FRAME: Time delta from previous physical frame: 0 microseconds FRAME: Frame number: 15 FRAME: Total frame length: 106 bytes FRAME: Capture frame length: 106 bytes FRAME: Frame data: Number of data bytes remaining = 106 (0x006A) ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol ETHERNET: Destination address : 00C0B76625D4 ETHERNET: ...0 = Individual address ETHERNET: ..0. = Universally administered address ETHERNET: Source address : 0003E3956600 ETHERNET: ...0 = No routing information present ETHERNET: ..0. = Universally administered address ETHERNET: Frame Length : 106 (0x006A) ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol) ETHERNET: Ethernet Data: Number of data bytes remaining = 92 (0x005C) IP: ID = 0x848; Proto = ICMP; Len: 92 IP: Version = 4 (0x4) IP: Header Length = 20 (0x14) IP: Precedence = Routine IP: Type of Service = Normal Service IP: Total Length = 92 (0x5C) IP: Identification = 2120 (0x848) IP: Flags Summary = 0 (0x0) IP: ...0 = Last fragment in datagram IP: ..0. = May fragment datagram if necessary IP: Fragment Offset = 0 (0x0) bytes IP: Time to Live = 124 (0x7C) IP: Protocol = ICMP - Internet Control Message IP: Checksum = 0x70D8 IP: Source Address = 216.144.20.69 IP: Destination Address = 216.144.0.27 IP: Data: Number of data bytes remaining = 72 (0x0048) ICMP: Echo: From 216.144.20.69 To 216.144.00.27 ICMP: Packet Type = Echo ICMP: Echo Code = 0 (0x0) ICMP: Checksum = 0x82AA ICMP: Identifier = 512 (0x200) ICMP: Sequence Number = 7680 (0x1E00) ICMP: Data: Number of data bytes remaining = 64 (0x0040) 0: 00 C0 B7 66 25 D4 00 03 E3 95 66 00 08 00 45 00 .À·f%Ô..ã*f...E. 00010: 00 5C 08 48 00 00 7C 01 70 D8 D8 90 14 45 D8 90 .\.H..|.pØØ.EØ 00020: 00 1B 08 00 82 AA 02 00 1E 00 AA AA AA AA AA AA 'ªªª 00030: AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA 00040: AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA 00050: AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA 00060: AA AA AA AA AA AA AA AA AA AA ªª
Re: Cisco filter question
Geo, Not sure if I want to answer. is this OT for NANOG? :) the key is: IP: Total Length = 92 (0x5C) normal ICMP packets are not 92 bytes in length our friend Nachi does use 92 byte packets. BTW: good luck trying the route-map on 2948G-L3s... ;) Thanks, Paul On Fri, 2003-08-22 at 12:55, Jack Bates wrote: Scott McGrath wrote: Geo, Look at your set interface Null0 command the rest is correct you want to set the next hop to be Null0. How to do this is left as an exercise for the reader. Interface Null0 works fine. Here's a quick check. Inbound (from peers) policy matches route-map nachi-worm, permit, sequence 10 Match clauses: ip address (access-lists): 199 length 92 92 Set clauses: interface Null0 Policy routing matches: 10921 packets, 1048416 bytes Outbound (to internal network) accesslist matches Extended IP access list 181 deny tcp any any eq 135 (1994 matches) permit icmp any any echo (757 matches) permit icmp any any echo-reply (381 matches) permit ip any any (381370 matches) I cleared 181 first, then cleared route-map counters. I then checked route-map counters first before checking access-list counters. This means the access-list has more time to accrue maches yet it is considerably smaller. The checks were a matter of seconds. I'd say the policy is working. The echo/echo-reply could easily be everyday pings which are up abit due to various networks having performance issues. IOS Versioning can sometimes have issues. There's also the question of if the packet came in the inbound interface that had the policy applied. -Jack -- Paul A Bradford Senior Network Engineer Adelphia Cable Communications 814-274-1353
RE: Cisco filter question
point a route to null0 and set the next hop to be down that route makes no difference, the problem isn't that the packets aren't being routed to null0, the problem is that the packets don't match the route-map for some reason. Only difference I see is the fragment flag is set to allow fragment on the ones that are getting thru. Geo.
Re: Cisco filter question
Geo, OK Time for me to get coffee I missed the not stop. it might not stop a packet if the route-map isn't applied to the interface. Pablo On Fri, 2003-08-22 at 12:58, Paul A. Bradford wrote: Geo, Not sure if I want to answer. is this OT for NANOG? :) the key is: IP: Total Length = 92 (0x5C) normal ICMP packets are not 92 bytes in length our friend Nachi does use 92 byte packets. BTW: good luck trying the route-map on 2948G-L3s... ;) Thanks, Paul On Fri, 2003-08-22 at 12:55, Jack Bates wrote: Scott McGrath wrote: Geo, Look at your set interface Null0 command the rest is correct you want to set the next hop to be Null0. How to do this is left as an exercise for the reader. Interface Null0 works fine. Here's a quick check. Inbound (from peers) policy matches route-map nachi-worm, permit, sequence 10 Match clauses: ip address (access-lists): 199 length 92 92 Set clauses: interface Null0 Policy routing matches: 10921 packets, 1048416 bytes Outbound (to internal network) accesslist matches Extended IP access list 181 deny tcp any any eq 135 (1994 matches) permit icmp any any echo (757 matches) permit icmp any any echo-reply (381 matches) permit ip any any (381370 matches) I cleared 181 first, then cleared route-map counters. I then checked route-map counters first before checking access-list counters. This means the access-list has more time to accrue maches yet it is considerably smaller. The checks were a matter of seconds. I'd say the policy is working. The echo/echo-reply could easily be everyday pings which are up abit due to various networks having performance issues. IOS Versioning can sometimes have issues. There's also the question of if the packet came in the inbound interface that had the policy applied. -Jack -- Paul A Bradford Senior Network Engineer Adelphia Cable Communications 814-274-1353
RE: Cisco filter question
Because your acl matches echo reply and the packet is echo request. Owen --On Friday, August 22, 2003 10:02 AM -0700 Michel Py [EMAIL PROTECTED] wrote: Instead of: set interface Null0 Use: set ip next-hop 10.255.255.254 _and_ ip route 10.255.255.254 255.255.255.255 Null0 name BLACKHOLE Michel. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Geo. Sent: Friday, August 22, 2003 9:17 AM To: [EMAIL PROTECTED] Subject: Cisco filter question Perhaps one of you router experts can answer this question. When using the cisco specified filter access-list 199 permit icmp any any echo access-list 199 permit icmp any any echo-reply route-map nachi-worm permit 10 ! --- match ICMP echo requests and replies (type 0 8) match ip address 199 ! --- match 92 bytes sized packets match length 92 92 ! --- drop the packet set interface Null0 interface incoming-interface ! --- it is recommended to disable unreachables no ip unreachables ! --- if not using CEF, enabling ip route-cache flow is recommended ip route-cache policy ! --- apply Policy Based Routing to the interface ip policy route-map nachi-worm why would it not stop this packet 15 1203.125000 0003E3956600 AMERIC6625D4 ICMP Echo: From 216.144.20.69 To 216.144.00.27 216.144.20.69 216.144.0.27 IP FRAME: Base frame properties FRAME: Time of capture = 8/22/2003 11:54:16.859 FRAME: Time delta from previous physical frame: 0 microseconds FRAME: Frame number: 15 FRAME: Total frame length: 106 bytes FRAME: Capture frame length: 106 bytes FRAME: Frame data: Number of data bytes remaining = 106 (0x006A) ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol ETHERNET: Destination address : 00C0B76625D4 ETHERNET: ...0 = Individual address ETHERNET: ..0. = Universally administered address ETHERNET: Source address : 0003E3956600 ETHERNET: ...0 = No routing information present ETHERNET: ..0. = Universally administered address ETHERNET: Frame Length : 106 (0x006A) ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol) ETHERNET: Ethernet Data: Number of data bytes remaining = 92 (0x005C) IP: ID = 0x848; Proto = ICMP; Len: 92 IP: Version = 4 (0x4) IP: Header Length = 20 (0x14) IP: Precedence = Routine IP: Type of Service = Normal Service IP: Total Length = 92 (0x5C) IP: Identification = 2120 (0x848) IP: Flags Summary = 0 (0x0) IP: ...0 = Last fragment in datagram IP: ..0. = May fragment datagram if necessary IP: Fragment Offset = 0 (0x0) bytes IP: Time to Live = 124 (0x7C) IP: Protocol = ICMP - Internet Control Message IP: Checksum = 0x70D8 IP: Source Address = 216.144.20.69 IP: Destination Address = 216.144.0.27 IP: Data: Number of data bytes remaining = 72 (0x0048) ICMP: Echo: From 216.144.20.69 To 216.144.00.27 ICMP: Packet Type = Echo ICMP: Echo Code = 0 (0x0) ICMP: Checksum = 0x82AA ICMP: Identifier = 512 (0x200) ICMP: Sequence Number = 7680 (0x1E00) ICMP: Data: Number of data bytes remaining = 64 (0x0040) 0: 00 C0 B7 66 25 D4 00 03 E3 95 66 00 08 00 45 00 .À·f%Ô..ã*f...E. 00010: 00 5C 08 48 00 00 7C 01 70 D8 D8 90 14 45 D8 90 .\.H..|.pØØ?.EØ? 00020: 00 1B 08 00 82 AA 02 00 1E 00 AA AA AA AA AA AA 'ªªª 00030: AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA 00040: AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA 00050: AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA 00060: AA AA AA AA AA AA AA AA AA AA ªª
RE: Cisco filter question
Geo, The problem is simple. If you put in a single route-map entry 2 matchs entries, it must match both of them to set the interface to Null0. If you'd like to match all ICMP packets and also 92 lenght packets, try to do this: route-map nachi-worm permit 10 match ip address 199 set interface Null0 ! route-map nachi-worm permit 10 match length 92 set interface Null0 ! Good luck, tell me how it works. Luckas.- -Mensaje original- De: Geo. [mailto:[EMAIL PROTECTED] Enviado el: Viernes, 22 de Agosto de 2003 01:17 p.m. Para: [EMAIL PROTECTED] Asunto: Cisco filter question Perhaps one of you router experts can answer this question. When using the cisco specified filter access-list 199 permit icmp any any echo access-list 199 permit icmp any any echo-reply route-map nachi-worm permit 10 ! --- match ICMP echo requests and replies (type 0 8) match ip address 199 ! --- match 92 bytes sized packets match length 92 92 ! --- drop the packet set interface Null0 interface incoming-interface ! --- it is recommended to disable unreachables no ip unreachables ! --- if not using CEF, enabling ip route-cache flow is recommended ip route-cache policy ! --- apply Policy Based Routing to the interface ip policy route-map nachi-worm why would it not stop this packet
Re: Cisco filter question
[EMAIL PROTECTED] wrote: ip address (access-lists): 199 ^^^ Extended IP access list 181 ^^^ Did you mean to have a mismatch between the numbers? Or is there some magic configuration detail that links the two together that I haven't learned about yet? They are comparitive lists. 181 lists all traffic leaving the router towards my networks while 199 is the list for the routemap that filters inbound icmp traffic of 92 bytes. 181 would be legitimate icmp traffic which is why it's lower than route-map nachi-worm which uses acl 199. -Jack
