RE: access-lists for routing proto's

From: Church, Chuck (cchurch@wamnetgov.com)
Date: Mon Dec 01 2003 - 13:23:21 GMT-3

• Next message: Alec: "Re: Weird HSRP problem"
• Previous message: miken: "Re: Hotels in San Jose?"
• Maybe in reply to: Driessens.Hans: "access-lists for routing proto's"
• Next in thread: Eric Cables: "Re: access-lists for routing proto's"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I'd lean towards keeping it simple, but it's really only a question the proctor can answer.

Chuck Church
CCIE #8776, MCNE, MCSE
Wam!Net Government Services
13665 Dulles Technology Dr. Ste 250
Herndon, VA 20171
Office: 703-480-2569
Cell: 703-819-3495
cchurch@wamnetgov.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=index&search=cchurch%40wamnetgov.com

> -----Original Message-----
> From: Driessens.Hans [mailto:hans.driessens@siemens.com]
> Sent: Monday, December 01, 2003 10:36 AM
> To: ccielab@groupstudy.com
> Subject: access-lists for routing proto's
>
>
> Hi group
>
> If a question at the lab is someting like
>
> "make an ingress filter on ethernet from r1 that only allows
> http to server
> 1.2.3.4 and make sure that routing isn't affected"
>
>
> r1, r2 and r3 are connected to that ethernet segment and are
> speaking OSPF.
> All the ospf prio's area the same, the ip addresses area 1.1.1.x
> (x=routernumber). Router 1 and 2 are also doing bgp...
>
> One solution could be
>
> router r1
> int e0
> ip address 1.1.1.1 255.255.255.0
> ip access-group FW_E0_IN in
> !
> ip acess-list extended FW_E0_IN
> permit tcp any host 1.2.3.4 eq 80
> permit ospf any any
> permit tcp host 1.1.1.2 host 1.1.1.1 eq bgp
> permit tcp host 1.1.1.2 eq bgp host 1.1.1.1
> !
>
>
> another solution could be
>
> router r1
> int e0
> ip address 1.1.1.1 255.255.255.0
> ip access-group FW_E0_IN in
> !
> ip acess-list extended FW_E0_IN
> permit tcp any host 1.2.3.4 eq 80
> permit ospf host 1.1.1.2 host 1.1.1.1
> permit ospf host 1.1.1.2 host 224.0.0.5
> permit ospf host 1.1.1.2 host 224.0.0.6
> permit ospf host 1.1.1.3 host 1.1.1.1
> permit ospf host 1.1.1.3 host 224.0.0.5
> permit ospf host 1.1.1.3 host 224.0.0.6
> permit tcp host 1.1.1.2 gt 1023 host 1.1.1.1 eq bgp
> permit tcp host 1.1.1.2 eq bgp host 1.1.1.1 gt 1023
> !
>
>
> The second solution is easier to mess up.... but is also more
> accurate and
> the only correct answer in my opinion. Does anybody know
> what's considered
> true at the lab. Can there be a difference in the R/S lab versus the
> security lab.
>
> Hans Driessens
>
> ______________________________________________________________
> _________
> Please help support GroupStudy by purchasing your study
> materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Alec: "Re: Weird HSRP problem"
• Previous message: miken: "Re: Hotels in San Jose?"
• Maybe in reply to: Driessens.Hans: "access-lists for routing proto's"
• Next in thread: Eric Cables: "Re: access-lists for routing proto's"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jan 03 2004 - 08:25:34 GMT-3