From: Dennis J. Hartmann (dennisjhartmann@hotmail.com)
Date: Tue May 10 2005 - 20:08:33 GMT-3
Am I missing something here??? Comments are welcome.
The NMC scenario #3 calls for a Lock-And-Key dynamic ACL to get from one
VLAN (30) to R5.
What I don't understand about the solution is the ACL that was
configured. The only IP Address that was denied was the 172.16.25.5/27
address, but we are not using the dynamic ACL for the 172.16.105.1/27
loopback interface. This is probably OK because the ACL of 120 that's
applied to the incoming Frame interfaces, does not explicitly allow the
traffic and the the last line of the ACL is a deny ip any any.
The question does not call for any other traffic to create the dynamic
ACL except for the traffic from VLAN 30 to R5. I would think that the ACL
should be configured with a permit ip any any at the bottom based on the
question. The explanation also states "The final line 17 is there to help
us determine if we forgot to permit any required traffic.". I'm confused.
The NMC configuration answer is as follows and I have some questions
(check the ! comment lines):
access-list 120 remark ------------- Router Security ------------------
access-list 120 dynamic VLAN30 timeout 10 permit tcp any host 172.16.25.5 eq
telnet
! If the dynamic VLAN is ONLY supposed to be created from VLAN30 to R5, I
would change the
! source address for "any" to the VLAN30 subnet. We are also missing a
line in the access-list
! where we permit VLAN30 to be able to telnet to R1. Would this work
because their last line
is a permit ip any any? It "appears" that this permit should be before the
dynamic ACL
access-list 120 deny tcp 172.16.32.0 0.0.3.255 host 172.16.25.5 eq telnet
! If we were going to build this for the destination loopback of R5 as well
the following has to be added....
! access-list 120 deny tcp 172.16.32.0 0.0.0.255 host 172.16.105.1
! The next line would be: access-list 120 permit ip any any. The question
does not call for dropping any other traffic.
access-list 120 permit ospf any any
access-list 120 permit eigrp any any
access-list 120 permit pim any any
access-list 120 permit icmp any any
access-list 120 permit igmp any any
access-list 120 permit tcp any any eq 1720
access-list 120 permit tcp any eq 1720 any
access-list 120 permit tcp any host 172.16.124.1 eq telnet
access-list 120 permit tcp any host 172.16.13.1 eq telnet
access-list 120 permit tcp 172.16.32.0 0.0.3.255 host 172.16.124.1 eq 8080
access-list 120 permit udp any any range 16384 32767
access-list 120 permit tcp any any eq bgp
access-list 120 permit tcp any eq bgp any
access-list 120 deny ip any any log
I also don't understand the use of the following command:
username SALLY autocommand access-enable
The configuration guide for Lock-and-key uses this command:
autocommand access-enable host
The 12.3 documentation (what I'm working off of) doesn't mention the
username X autocommand access-enable option. Please advise.
Sincerely,
Dennis J. Hartmann
White Pine Communications
CCSI#23402/CCIP/CCNP/CCDP/CCNA/CCDA
Cisco IP Voice Support & Design Specialist
Cisco Optical, VPN & IDS Specialist
MCSE
This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:11:57 GMT-3