RE: Reflexive output ACL

From: Guyler, Rik (rguyler@shp-dayton.org)
Date: Thu Nov 08 2007 - 17:49:55 ART

• Next message: darth router: "Re: CCIE Important Interview Quesition asked by Sunrise, Swiss"
• Previous message: Mark Mahan: "RE: Framgmentation & Interleaving"
• Maybe in reply to: hadek.el-ayachi@nsn.com: "Reflexive output ACL"
• Next in thread: Joseph Brunner: "RE: Reflexive output ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

My reply wasn't really meant for anything specifically but just a
generalization. Some people have a hard enough time with interpreting
the requirements so by introducing additional configs you are increasing
the chances of doing something that will cost you points. In this case,
if OSPF was already running through the interface and the next
requirement said to ONLY allow those protocols, I guess you would either
have to find a workaround or decide which section will lose fewer points
by breaking the rules.

Rik

________________________________

From: Tarun Pahuja [mailto:pahujat@gmail.com]
Sent: Thursday, November 08, 2007 3:41 PM
To: Guyler, Rik
Cc: groupstudy
Subject: Re: Reflexive output ACL

Rik,
      What would happen if the Link was already running OSPF and you
enable a firewall that should only allow ICMP,TCP,UDP? You Just lost
connectivity!

HTH,
Tarun

On Nov 8, 2007 2:39 PM, Guyler, Rik <rguyler@shp-dayton.org> wrote:

        Don't do it if it isn't asked for in the requirements. If it
says ICMP,
        TCP and UDP then allow those and move on. When you start taking

        unnecessary steps you run even greater risk of missing a
required topic
        due to misinterpretation.

        Maybe this question really means "allow ONLY ICMP, TCP and UDP
inbound"
        and so allowing other non-required protocols just cost you
points. Why
        complicate things any more?

        Rik

        -----Original Message-----
        From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
Behalf Of
        hadek.el-ayachi@nsn.com

        Sent: Thursday, November 08, 2007 11:47 AM
        To: ccielab@groupstudy.com
        Subject: Reflexive output ACL

        Hi GS,
        If I am asked to permit only icmp/udp/tcp traffic inbound if it
is
        initiated from inside, the answer is:
              ip access-list ext FW_OUT
                          permit icmp an an reflect FW
                          permit tcp an an reflect FW
                          permit udp an an reflect FW

        But, what about other protocols and futur protocols sach as
igmp,
        gre...? Should I add per ip any any? Does it deserve askin
proctor?
        Thanks for comment

        E. HADEK
        Nokia Siemens Networks
        IP Core planner
        5 rue Abou Inane- Hassan
        Rabat - Maroc
        Tel : +212 37 26 15 30
        GSM : + 212 61 44 93 98

• Next message: darth router: "Re: CCIE Important Interview Quesition asked by Sunrise, Swiss"
• Previous message: Mark Mahan: "RE: Framgmentation & Interleaving"
• Maybe in reply to: hadek.el-ayachi@nsn.com: "Reflexive output ACL"
• Next in thread: Joseph Brunner: "RE: Reflexive output ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:29 ART