Hi,
I m using FPM on 1811 router with 12.4 24 T Advanced security code. Im trying to filter syslog warning traps from the firewalls send to NMS. below is the required configuration which matches OID for Syslog warning traps.
load protocol system:/fpm/phdf/ether.phdf
load protocol system:/fpm/phdf/ip.phdf
load protocol system:/fpm/phdf/tcp.phdf
load protocol system:/fpm/phdf/udp.phdf
!
!
class-map type stack match-all IP_UDP
match field IP dest-addr eq 10.10.10.10 next UDP
class-map type access-control match-all WARNING
match start l3-start offset 0 size 256 regex ".*\x2b\x06\x01\x04\x01\x09\x09\x29\x01\x02\x03\x01\x03\x00\x02\x01\x05.*"
match field UDP dest-port eq 162
!
!
policy-map type access-control FILTER_WARNING
class WARNING
log
policy-map type access-control FPM
class TRAP
log
drop
class IP_UDP
service-policy FILTER_WARNING
But some how traffic on port 161 and icmp messages are matched against it. ICMP i thought of them as port unreachable messages but any clue on matches for 161 port (normal SNMP polling). it seems that "match filed UDP dest-port eq 162" is not working below are the logs for the same
*Nov 1 04:53:30 UTC: %SEC-6-IPACCESSLOGDP: list WARNING permitted icmp 1.1.1.1 (FastEthernet1 ) -> 10.10.10.10 (0/0), 1 packet
*Nov 1 04:45:34 UTC: %SEC-6-IPACCESSLOGP: list WARNING permitted udp 10.10.20.1 (161) (FastEthernet1 ) -> 10.10.10.10 (51643), 1 packet
Please advise on fine tuning in the configuration or further analysis.
Thanks in advance
Hitesh Vinzoda