From: William Nellis (nellis_iv@yahoo.com)
Date: Thu Nov 08 2007 - 18:05:06 ART
obviously, if it breaks your IGP,BGP,IGMP,PIM requirements, you need to account for that. This is a known thing to have thrown at you. You must solve the problem w/o breaking other req's. and yeah, if you have GRE flowing over... that one too! But if it isn't a requirement of the lab, don't throw it on there as "best practice". Bare minimum required to satisfy,
Good luck Jedi... The force is strong.
When in doubt, proctor out.
-------------------------------------------------------
r/s
William Nellis IV
nellis_iv@yahoo.com
----- Original Message ----
From: "Guyler, Rik" <rguyler@shp-dayton.org>
To: groupstudy <ccielab@groupstudy.com>
Sent: Thursday, November 8, 2007 12:39:42 PM
Subject: RE: Reflexive output ACL
Don't do it if it isn't asked for in the requirements. If it says ICMP,
TCP and UDP then allow those and move on. When you start taking
unnecessary steps you run even greater risk of missing a required topic
due to misinterpretation.
Maybe this question really means "allow ONLY ICMP, TCP and UDP inbound"
and so allowing other non-required protocols just cost you points. Why
complicate things any more?
Rik
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
hadek.el-ayachi@nsn.com
Sent: Thursday, November 08, 2007 11:47 AM
To: ccielab@groupstudy.com
Subject: Reflexive output ACL
Hi GS,
If I am asked to permit only icmp/udp/tcp traffic inbound if it is
initiated from inside, the answer is:
ip access-list ext FW_OUT
permit icmp an an reflect FW
permit tcp an an reflect FW
permit udp an an reflect FW
But, what about other protocols and futur protocols sach as igmp,
gre...? Should I add per ip any any? Does it deserve askin proctor?
Thanks for comment
E. HADEK
Nokia Siemens Networks
IP Core planner
5 rue Abou Inane- Hassan
Rabat - Maroc
Tel : +212 37 26 15 30
GSM : + 212 61 44 93 98
This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:29 ART