From: Ronnie Royston (RonnieR@xxxxxxxxxxxxxxxxx)
Date: Sat Dec 23 2000 - 13:58:28 GMT-3
Just a tip:
for outgoing access-lists, you'll only need to consider a hole for bgp. All
the other routing protocols generate local traffic that will not be filtered
by your 'ip access-group out' command. This is only true for an outbound
access-group.
also, I've learned that if you can test the firewall, test it! simple
filtering can become very detailed with that 'deny any any' at the end of
the list. for those who haven't, try allowing traceroute with a deny any
any at the end of your list. you'll need more than just 'permit icmp any
any traceroute'. Lastly, add the log keywork at the end of your deny any
any to get notified on what your missing. Good luck.
-----Original Message-----
From: Earl Aboytes [mailto:Earl@dnssystems.com]
Sent: Friday, December 22, 2000 2:39 PM
To: 'Chuck Larrieu'; CCIE_Lab Groupstudy List
Subject: RE: More Lab Tips - Access List contents
Always apply your access lists last. Get it all working first and then try
to filter.
-----Original Message-----
From: Chuck Larrieu [mailto:chuck@cl.cncdsl.com]
Sent: Friday, December 22, 2000 1:35 PM
To: CCIE_Lab Groupstudy List
Subject: More Lab Tips - Access List contents
After another couple of puzzling experiences in my lab preparation, I am
adding the following to my routines:
Always place routing protocol permits at the top of extended access lists
If dealing with standard access lists, beware of the law of unintended
consequences!
Routing can be severely effected by the misunderstanding and misplacement of
access-lists.
Happy holidays, everyone!
Chuck
----------------------
I am Locutus, a CCIE Lab Proctor. Xx_Brain_dumps_xX are futile. Your life as
it has been is over ( if you hope to pass ) From this time forward, you will
study US!
( apologies to the folks at Star Trek TNG )
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:26:10 GMT-3