RE: I just made a dumb mistake

From: ccie2be (ccie2be@nyc.rr.com)
Date: Fri Jun 17 2005 - 07:03:54 GMT-3

• Next message: ccie2be: "RE: ppp reliable link vs. ppp quality link"
• Previous message: Keane, James: "RE: QoS - MQC PARENT and Child - CORRECTED TYPOS - Sorry!!!"
• Maybe in reply to: ccie2be: "I just made a dumb mistake"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

John,

Correct me if I'm wrong but wouldn't the "hits" show up either way?

If the acl were wrong, the hits would appear with the permit statement.

If the acl were correct, the hits would appear with the deny statement.

So, given the nature of the mistaken thought process, I don't think this
would help.

Realize that the mistake was made in the first place because when I
permitted the admin scoped mcast groups, I was incorrectly thinking that I
was "permitting" these groups to be filtered (blocked). So, if I looked at
the show acl and saw hits for the incorrect permit statement, I'd have no
reason to think this acl wasn't working as expected even though it was doing
exactly the opposite of what I intended it to do.

I think the only reliable way to verify something like this is to find a way
to make a router simulate a host trying to join these prohibited groups and
fail.

Normally, doing so wouldn't be a problem since I could just use a join-group
on a router, but in this case, I didn't have access to the right router to
do this.

BB -- vlan A --- R1 ---> rest of network
                ^
                | block joins here

If I could make BB join the forbidden group, I could verify the acl by
pinging the group and seeing NO response from BB. I believe I could also
use a show command on R1 to see what hosts have joined the forbidden groups.

But, this same show command is useless when R1 itself joins the forbidden
group - the acl on R1's lan interface has no effect.

The only other thing I can think of is creating a complete, separate mcast
tree where I do have access to 3 routers and I can make the 3rd router
simulate a host, the 2nd router simulate the last hop, and the 1st router
simulate the mcast source.

Of course, the best solution is just knowing when to use either permit or
deny in the acl for every possible situation but this solution I haven't
been able to right for years.

Tim

-----Original Message-----
From: John Matus [mailto:jmatus@pacbell.net]
Sent: Friday, June 17, 2005 12:30 AM
To: ccie2be; Group Study
Subject: Re: I just made a dumb mistake

tim, wouldn't you just look at the acl "show ip acl 5" and see if you get
any hits when you ping an admin address? i would think that would tell you
right there.

Regards,

John D. Matus
MCSE, CCNP
Office: 818-782-2061
Cell: 818-430-8372
jmatus@pacbell.net
----- Original Message -----
From: "ccie2be" <ccie2be@nyc.rr.com>
To: "Group Study" <ccielab@groupstudy.com>
Sent: Thursday, June 16, 2005 9:39 AM
Subject: I just made a dumb mistake

> Hi guys,
>
> First of all, if anyone reading this doesn't also make dumb mistakes, STOP
> READING NOW.
>
> But, for the rest of you, here's what I did.
>
> This task required that I prevent hosts on a certain vlan from joining the
> administratively scoped range of mcast groups.
>
> No big deal. The admin scope is 239.0.0.0 - 239.255.255.255
>
> Now, here's the dumb mistake I made.
>
> Instead of denying this range in my acl, I permitted it. Dumb, I know.
>
> Since I haven't figured out a way to stop making dumb mistakes like this,
> I
> need a way to check to see if a made a dumb mistake.
>
> How could I verify that my acl is working as expected in this case?
>
> I did a show ip igmp int but that doesn't help.
>
> Ethernet0/1 is up, line protocol is up
> Internet address is 204.12.1.3/24
> IGMP is enabled on interface
> Current IGMP host version is 2
> Current IGMP router version is 2
> IGMP query interval is 60 seconds
> IGMP querier timeout is 120 seconds
> IGMP max query response time is 10 seconds
> Last member query count is 2
> Last member query response interval is 1000 ms
> Inbound IGMP access group is MCAST <----- ACL IS HERE AS
> EXPECTED
> IGMP activity: 1 joins, 0 leaves
> Multicast routing is enabled on interface
> Multicast TTL threshold is 0
> Multicast designated router (DR) is 204.12.1.3 (this system)
> IGMP querying router is 204.12.1.3 (this system)
> Multicast groups joined by this system (number of users):
> 224.0.1.40(1)
>
>
> I tried joining a group in this range with the command ip igmp join-group
> 239.39.39.39
> after applying the correct acl. And, then I pinged the group.
>
> It worked:
>
> R2#p 239.39.39.39 rep 1000
>
> Type escape sequence to abort.
> Sending 1000, 100-byte ICMP Echos to 239.39.39.39, timeout is 2 seconds:
>
> Reply to request 0 from 183.1.123.3, 52 ms
> Reply to request 0 from 183.1.123.3, 124 ms
> Reply to request 0 from 183.1.123.3, 72 ms
>
>
> So, I can't figure out how to verify this acl.
>
> Any thoughts?
>
> TIA, Tim
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: ccie2be: "RE: ppp reliable link vs. ppp quality link"
• Previous message: Keane, James: "RE: QoS - MQC PARENT and Child - CORRECTED TYPOS - Sorry!!!"
• Maybe in reply to: ccie2be: "I just made a dumb mistake"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:41 GMT-3