I need to configure FPM on IOS XE to match certain query types of a DNS packet, for example on an A record (0x0001), and drop it.
For this to work I wrote custom phdf file for DNS, which is in the attachments.
FPM configuration is as follows:
Current configuration : 241 bytes ! class-map type access-control match-any CM_FPM_DNS match start DNS queries offset 0 size 2 regex ".*0377.*" < this is just an example class-map type stack match-all CM_FPM_UDP match field IP protocol eq 17 next UDP match field UDP dest-port eq 53 next DNS end
do sh run policy-map Building configuration...
Current configuration : 174 bytes ! policy-map type access-control PM_FPM_DNS class CM_FPM_DNS drop log policy-map type access-control PM_FPM_UDP class CM_FPM_UDP service-policy PM_FPM_DNS ! end
The problem is to match the RR Type field based on its offset. In a DNS packet, the type field comes after the Name field, which can be of variable size, so we cannot match RR Type field at a fixed position, only the first 32 bytes.
FPM configuration guide says that "FPM can search for patterns up to 32 bytes in length within the first 256 bytes of the packet.". But how can we configure FPM that it will match hex data 0x0001 within the first 256 bytes of an IP packet?
... View more
No sessions are available in the live session view window. I`m doing a simple switch vty (ssh) access authentication and authorization on ISE. According to the ISE REST API Guide there are active sessions and authenticated active sessions. None of those sessions are available in the session view windows in my case. I use the default admin user for requests, because any other admin user requests result in "Logged-in Administrator is Unauthorized to access REST API" message, even if the user is in the ERS Admin group. Only when I add that user to the Super Admin group, then the request attempt is successful. Thank you very much for your help.
... View more
We`ve installed ISE 126.96.36.199 and also use REST API to get session details from ISE. But for some reason ISE always returns 0 or error for the following requests although we have active sessions as shown below: https://ise_ip/admin/API/mnt/Session/AuthList/null/null <activeList noOfActiveSession="0"/> https:// ise_ip /admin/API/mnt/Session/ActiveCount <sessionCount><count>0</count></sessionCount> https://ise_ip/admin/API/mnt/Session/ UserName/cisco <mnt-rest-result><http-code>500</http-code><cpm-code>34110</cpm-code><description>Server has encountered error while processing the REST request</description><module-name>MnT</module-name><internal-error-info>Error in generating XML output. Error message = Session data is not available for cisco.</internal-error-info><requested-operation>Get By Name</requested-operation><resource-id>N/A</resource-id><resource-name>N/A</resource-name><resource-type>RESTSDStatus</resource-type><status>SERVER_ERROR</status></mnt-rest-result> Only version information is returned correctly. https://ise_ip/admin/API/mnt/Version <product name="Cisco Identity Services Engine"><version>188.8.131.52</version><type_of_node>0</type_of_node></product>
... View more
Hi everyone! Lets say I have a management pc in my network located in the same subnet as management addresses of switches (e.g. both hp and cisco; 192.168.10.0/24 is management network); PCs ip is 10.254. Access to switches is controlled by the tacacs on acs 5.4; On the mgmt pc there is Kiwi Cattools which saves running-configs of devices to a tftp server based on a regular schedule (e.g. every 2 weeks). For this purpose there is a special user on the acs account called "cattools", which is used by that soft to access devices and save running-configs. Now my purpose is to disallow the usage of "cattools" for any usage from anywhere, except when the access request comes from mgmt pc 10.254 (i.e. kiwi). The account should not be used to access devices from any other location. Here`s what I did: In the log messages from acs I notices Remote Address field contaninig an ip address of the device/pc, from which access is being made. So I created an End Station filter list (name "mgmtonly") on the acs with a single value of 192.168.10.254; Then in the access services for tacacs protocol in the Identity section I created an Identity policy saying that "if system.username=cattools AND end station filter DOESN`T MATCH mgmtonly, then Identity source is DenyAccess"; This rule is followed by other rules permiiting access with the other user accounts. And this scheme is working: when access is being made from mgmt pc with username cattools, access is granted. From any other location it is denied. Unfortunately, it is working only for Cisco devices because through monitoring logs I noticed that they always send remote address to the acs server. But Hp switches lack this ability. Every time procurves access the acs server, its remote address field is empty, i.e. it doesn`t relay an ip address to the server. So the above rule is not matched and not working. Is there any solution to his, or is there more suitable solution?
... View more