From: Sidalo (sidalo@gmail.com)
Date: Sat Apr 22 2006 - 03:54:52 GMT-3
The 9.4 ACL builds upon an existing ACL that was created in 9.2 to block
SNMP.
That is why it is named SNMP and has the SNMP block in it.
On 4/21/06, Shamin <ccie.xpert@gmail.com> wrote:
>
> Hi,
>
> First of all, thankyou one for all your inputs.
>
> My question is based on IEWB Ver3.0 ,LAB2 TASK 9.4.
> Would appreciate answers especially from Brians .
>
>
> The lab requirements states as follows,
>
> -Configure your network so that ICMP traffic is only allowed into your
> network via VLAN 52 if the traffic was initiated from behind R5.
> -For diagnostic and troubleshooting purposes ensure that users throughout
> your network are still able to traceroute from behind R5.
>
> Topology:
>
> 192.10.1.0 (VLAN52)
> < ---------- R5
> (E0/1) ----------------------------------- (E0/0)BB2
>
>
> Configuration on R5:
>
> Rack1R5#
>
> interface Ethernet 0/1
> ip access-group DENY_SNMP in
> ip access-group EVALUATE_ICMP out
> !
> ip access-list extended DENY_SNMP
> deny udp any any eq snmp
> permit icmp any any time-exceeded
> permit icmp any any port-unreachable
> evaluate ICMP
> deny icmp any any
> permit ip any any
> !
> ip access-list extended EVALUATE_ICMP
> permit icmp any any reflect ICMP
> permit ip any any
>
>
> In the above configuration, I understoodeverything except , "deny udp any
> any eq snmp" statement in the begning of DENY_SNMP extended list. Couldnt
> figure out the reason for that statement ,that too at the begning of the
> list.
>
> In the same List DENY_SNMP, theres "permit ip any any" statement. Is this
> statement used to allow the protocols related updates or is it refering
> to
> something other than my understanding.
>
> regards
> shamin
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon May 01 2006 - 11:41:58 GMT-3