From: Balmik Soin (balmik@staff.iinet.net.au)
Date: Mon Nov 05 2007 - 00:06:22 ART
OSPF traffic isn't necessarily sent to the address of the router - OSPF
uses multicast addresses for neighbor discovery and DR updates.
So because you've matched R7's address as the destination for the OSPF
deny statement, and then put a permit ip any any at the end, any host
can establish an OSPF relationship with R7 on that subnet by using
multicast hellos and get at least to the two-way state - thus not
fulfilling the task requirement.
(I'm going out on a limb here and assuming R7 doesn't have an OSPF
network type that precludes this)
As for the TCP port - I might have answered the way you did, it's
ambiguously worded. Perhaps it's a question for the proctor.
- Balmik.
(who is sitting in a hotel room in Tokyo at the moment, going to tackle
the exam tomorrow...)
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> James MacDonald
> Sent: Monday, 5 November 2007 11:23 AM
> To: ccielab@groupstudy.com
> Subject: IPExperts - V9 - Section 9 - task 4
>
> Hi, I have a question about IPExperts Version 9.0 workbook - Section
9,
> task 4. Below is the question and the solution they provided ... and
my
> solution. I know for part of the discrepancy i have used specific
hosts in
> the acl where they used ANY ... but I know that that should work
either
> way and still full fill the requirements. The issue I have is in
> interpretation of the last past. It clearly asked "deny all inbound
> traffic from hosts 150.50.7.32-150.50.7.63 with a TCP port greater
than
> 1023" ... which I read as a source port greater than 1023 ... but the
> solution they provided has the destination port greater than 1023.
>
> Anyone else have issues here? Or am i not reading this correctly?
>
> Thanks,
>
> ===========================
> Question:
> ===========================
> On R7, configure an access-list that allows R7 to only form an OSPF
> adjacency with R5 on the 150.50.7.0/25 network. The access-list should
> also deny PIM either destined for R7 or beyond, from R6. In addition,
the
> access-list should deny all inbound traffic from hosts 150.50.7.32-
> 150.50.7.63 with a TCP port greater than 1023. All other IP traffic
should
> be permitted.
>
> ===========================
> Lab Solution:
> ===========================
> ip access-list extended MyFilter
>
> permit ospf host 150.50.7.5 any
>
> deny ospf any any
>
> deny pim host 10.50.7.6 any
>
> deny tcp 150.50.7.32 0.0.0.31 any gt 1023
>
> permit ip any any
>
> ===========================
> My Solution
> ===========================
> R7#sh ip access-lists
> Extended IP access list lab9-4
> permit ospf host 150.50.7.5 host 150.50.7.7
> deny ospf any host 150.50.7.7
> deny pim host 150.50.7.6 any
> deny tcp 150.50.7.32 0.0.0.31 gt 1023 any
> permit ip any any (2 matches)
>
>
> ------------------------------
> Jim MacDonald
> j4m3sm63@yahoo.ca
> ------------------------------
>
>
>
>
> Be smarter than spam. See how smart SpamGuard is at giving junk
> email the boot with the All-new Yahoo! Mail. Click on Options in Mail
and
> switch to New Mail today or register for free at http://mail.yahoo.ca
>
>
This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:28 ART