From: Ralph (Mandela@myrealbox.com)
Date: Fri Oct 21 2005 - 18:29:01 GMT-3
This is a scenario from Internetwork expert volume 1, Lab 15 workbook.
Question 11.4 - 11.5:
The relevant part of the topology is this:
R5(fa0/1)------192.10.4.0----------BB2
The question asks to configure R5 to keep track of hosts attempting to violate a previosly implemented filtering policy.
The previously implemeted filtering policy is this:
ip access-list extended INBOUND
permit tcp any any eq bgp
permit tcp any eq bgp any
permit icmp any host 192.10.4.5 echo-reply
evaluate REFLEX
ip access-list extended OUTBOUND
permit tcp any any reflect REFLEX
permit udp any any reflect REFLEX
permit icmp any any reflect REFLEX
!
ip accounting-threshold 100
!
interface FastEthernet0/1
ip address 192.10.4.5 255.255.255.0
ip access-group INBOUND in
ip access-group OUTBOUND out
ip accounting access-violations
However, it seems like the the ip accounting command is not working; I tried to ping any address in the topology from BB2, the ping was correctly denied as expected, but a "show ip accounting access-violations" revealed nothing.
Rack4R5#sh ip accounting access-violations
Source Destination Packets Bytes ACL
Accounting data age is 6
I am missing something here
TIA
Ralph.
This archive was generated by hypermail 2.1.4 : Sun Nov 06 2005 - 22:00:52 GMT-3