Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Flexible Packet Matching (FPM) on IOS Router

Jedi:

In my example listed below, two IOS routers (R1 Fa0/1 IP:192.168.100.1/24 <----> R2 Fa0/1 IP:192.168.200.2/24) are directly connected.

The FPM service policy is applied to R1's Fa0/1 interface in the inbound direction.

Using FPM, I am trying to drop telnet traffic sourced from R2's Fa0/1 IP to R1's Fa0/1 IP.

Using FPM, I am trying to drop ICMP traffic sourced from R2's Fa0/1 IP to R1's Fa0/1 IP; if the size is greater than 1500.

I am able to accomplish this task if I use each policy individually. When combining both requirements neither policy is coming into effect. I am unsure if it is the nature of the beast or a misconfiguration or an IOS bug. If someone can please comment/suggest alternatives, I will be glad to try it. Thanks in advance for your help.

R1

----

R1#sh ver

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

System image file is "flash:c2800nm-advipservicesk9-mz.124-24.T4.bin"

Cisco 2811 (revision 53.50) with 249856K/12288K bytes of memory.

Configuration

-------------------

load protocol system:fpm/phdf/ip.phdf

load protocol system:fpm/phdf/icmp.phdf

load protocol system:fpm/phdf/tcp.phdf

class-map type stack match-all S_TELNET

match field IP protocol eq 0x6 next TCP

class-map type stack match-all S_ICMP

match field IP protocol eq 0x1 next ICMP

class-map type access-control match-all AC_C_TELNET

match field IP source-addr eq 192.168.200.2

match field IP dest-addr eq 192.168.200.1

match field TCP dest-port eq 23

class-map type access-control match-all AC_C_ICMP

match field IP source-addr eq 192.168.200.2

match field IP dest-addr eq 192.168.200.1

match field ICMP type eq 8

match field IP flags eq 1

policy-map type access-control AC_P_ICMP

class AC_C_ICMP

   drop

policy-map type access-control AC_P_TELNET

class AC_C_TELNET

   drop

policy-map type access-control FPM          (WORKS)

class S_ICMP

  service-policy AC_P_ICMP

OR

policy-map type access-control FPM          (WORKS)

class S_TELNET

  service-policy AC_P_TELNET

OR

policy-map type access-control FPM          (NEITHER ONE WORKS)

class S_ICMP

  service-policy AC_P_ICMP

class S_TELNET

  service-policy AC_P_TELNET

interface fa0/1

service-policy type access-control input FPM

636
Views
0
Helpful
0
Replies
CreatePlease to create content