From: Shamin (ccie.xpert@gmail.com)
Date: Sat Apr 22 2006 - 03:32:46 GMT-3
Hi,
First of all, thankyou one for all your inputs.
My question is based on IEWB Ver3.0 ,LAB2 TASK 9.4.
Would appreciate answers especially from Brians .
The lab requirements states as follows,
-Configure your network so that ICMP traffic is only allowed into your
network via VLAN 52 if the traffic was initiated from behind R5.
-For diagnostic and troubleshooting purposes ensure that users throughout
your network are still able to traceroute from behind R5.
Topology:
192.10.1.0 (VLAN52)
< ---------- R5 (E0/1) ----------------------------------- (E0/0)BB2
Configuration on R5:
Rack1R5#
interface Ethernet 0/1
ip access-group DENY_SNMP in
ip access-group EVALUATE_ICMP out
!
ip access-list extended DENY_SNMP
deny udp any any eq snmp
permit icmp any any time-exceeded
permit icmp any any port-unreachable
evaluate ICMP
deny icmp any any
permit ip any any
!
ip access-list extended EVALUATE_ICMP
permit icmp any any reflect ICMP
permit ip any any
In the above configuration, I understoodeverything except , "deny udp any
any eq snmp" statement in the begning of DENY_SNMP extended list. Couldnt
figure out the reason for that statement ,that too at the begning of the
list.
In the same List DENY_SNMP, theres "permit ip any any" statement. Is this
statement used to allow the protocols related updates or is it refering to
something other than my understanding.
regards
shamin
This archive was generated by hypermail 2.1.4 : Mon May 01 2006 - 11:41:58 GMT-3