Need a hint for home office / 871 does not support port-security - FPM ?

Unanswered Question
Aug 27th, 2007
User Badges:

Hi,

i want to realize the following setup:


- Central Site 871 with Internet Connection and static IP

- Home office 871 with Internet Connection and static IP. On that home office router, there should be 2 Vlans: 1 for the office work and one for the user's private PC. All Traffic from the "office" Vlan is being put into a VPN to the central site. All Traffic on the other interface is being natted and goes straight to the internet.


To minimize security issues, i tried to configure port-security, so that the user cannot connect with his private PC to the office LAN ports and vice versa. Unfortunately, port-security seems not to be supported on the 871 (advanced ip services image).

Now i looked for an alternative...and came over to FPM (flexible packet matching).

If i understood right, you can classify packets for example by their source MAC address and if this field matches a specific value (the mac of the work pc), packets can be dropped by a policy.

Of course i cannot avoid that the user connects the work pc together with his private pc (this is then related to the OS Security to keep out viruses, worms, trojans, etc). But i could/want to restrict the internet access with the work pc through "normal" Internet access - the users should not be able to do that (must use the company's proxy).


I did the follwing config:


class-map type access-control match-any c2

match start l2-start offset 48 size 6 regex "0xabcd1234fedc"

match field ETHER source-mac regex "abcd1234fedc"

!

!

policy-map type access-control p2

class c2

drop

!

!

interface Vlan1

ip address 192.168.20.1 255.255.255.0

ip nat inside

ip virtual-reassembly

service-policy type access-control input p2

service-policy type access-control output p2

!


As this feature is quite new, i'm not familiar with it's syntax.

I also tried to use "string" instead of regexp, but i'm still able to connect the office pc to the private Lan and i am able to access the "Internet" (currently it's only setup in a lab).


As i understood so far, the offset is the value in bits, and size is in bytes. is that correct?

Has anyone yet some experience with FPM or maybe any hint for me how to realize the requested setup with the 871 routers?


bets regards,

Andy


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sbilgi Fri, 08/31/2007 - 10:53
User Badges:
  • Silver, 250 points or more

For the FPM feature to work you will need PHDF files for the protocols you want to scan for to be loaded on your routers. The files can be downloaded from cisco's website. In your case you will have to download ether.phdf file.

Actions

This Discussion