RE: ip unreachables

From: Victor Cappuccio (victor@ccbootcamp.com)
Date: Wed Jun 27 2007 - 01:26:53 ART

• Next message: Ben: "iev4 lab20 802.1q trunking/tunneling problem"
• Previous message: John Gibson: "RE: if we just want to have a backup RP, is MSDP needed ?"
• Maybe in reply to: M S: "ip unreachables"
• Next in thread: M S: "RE: ip unreachables"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi this is part of the new CCBOOTCAMP WB Update:

Configure R1 so that no IP packets sourced from R2s loopbacks will be
permitted to reach any hosts on VLAN 5.

Here, we just need to configure an access list to block traffic from R2s
loopback to VLAN 5. We will apply the access-list inbound on R1s serial
interface. The source of the traffic is the networks of the loopbacks on R2,
and the destination is VLAN 5. We will deny traffic from the two loopback
networks, and then permit all other traffic.

R1(config)#access-list 101 deny ip 124.4.1.0 0.0.0.255 120.120.5.0 0.0.0.255
R1(config)#access-list 101 deny ip 124.4.2.0 0.0.0.255 120.120.5.0 0.0.0.255
R1(config)#access-list 101 permit ip any any

R1(config-if)#int ser0/0/0.1
R1(config-subif)#ip access-group 101 in

Verify by debugging with debug ip icmp on R1 while using an extended ping from
R2.

R2#ping ip 120.120.5.1 source loopback1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 120.120.5.1, timeout is 2 seconds:
Packet sent with a source address of 124.4.1.2
U.U.U
Success rate is 0 percent (0/5)
R4#

R1#debug ip icmp
ICMP packet debugging is on
R1#
*May 24 09:14:29.556: ICMP: dst (120.120.5.35) administratively prohibited
unreachable sent to 124.4.1.2
*May 24 09:14:31.604: ICMP: dst (120.120.5.35) administratively prohibited
unreachable sent to 124.4.1.2
*May 24 09:14:33.652: ICMP: dst (120.120.5.35) administratively prohibited
unreachable sent to 124.4.1.2

If we wanted to stop R1 from sending the unreachable messages, we could
configure the command no ip unreachables on R1s serial 0/0/0.1 interface.

more 2 come

thanks,
Victor Cappuccio.-
- CCSI# 31452

Network Learning Inc - A Cisco Sponsored Organization (SO) YES! We take
Cisco Learning credits!
victor@ccbootcamp.com
http://www.ccbootcamp.com (Cisco Training and Rental Racks)
http://www.ccbootcamp.com/groupstudy.html (groupstudy member discounts!)
Voice: 702-968-5100
FAX: 702-446-8012

-----Original Message-----
From: nobody@groupstudy.com on behalf of M S
Sent: Tue 6/26/2007 21:12
To: ccielab@groupstudy.com
Subject: ip unreachables

Hello:
I was working on a lab and i see the solution has no ip unreachables
would this command meet the requirement that disarded packets should be
dropped silently?

Thanks
Mike

------------------------------------------------------------------------

Need a break? Find your escape route with Live Search Maps.

• Next message: Ben: "iev4 lab20 802.1q trunking/tunneling problem"
• Previous message: John Gibson: "RE: if we just want to have a backup RP, is MSDP needed ?"
• Maybe in reply to: M S: "ip unreachables"
• Next in thread: M S: "RE: ip unreachables"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:52 ART