RE: IEWB Lab13 Vol 2 - Task 7.1

From: Jared Scrivener (jscrivener@ipexpert.com)
Date: Thu Jan 29 2009 - 02:09:22 ARST

• Next message: Dale Shaw: "L2 QoS whine"
• Previous message: Jonny English: "Re: Bootcamps and Vendors"
• Maybe in reply to: Sharma, Praveen: "IEWB Lab13 Vol 2 - Task 7.1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

LOL - I can't say I've read the Control Plane Security book Darby. I've been
reading up on a lot of the Security stuff as I'm working on writing some of
the new Security product that we're releasing.

The control plane policing just happened to refer to "silently discarding
packets" enough times that I thought maybe the Brian's were using that as
their word association when writing the lab question. My first instinct was
"no ip unreachables" accompanied by a static route to Null0 (so silent that
it doesn't even show up in a "sh access-list" command), then the CoPP stuff
jumped into my head. ACL's seemed so traditional that I'd ruled them out.

That's the fun of doing so much reading - every day we keep learning new
random stuff with which to clutter our minds. :-)

Cheers,

Jared Scrivener CCIE3 #16983 (R&S, Security, SP), CISSP

Technical Instructor - IPexpert, Inc.

Telephone: +1.810.326.1444

Fax: +1.810.454.0130

Mailto: <mailto:jscrivener@ipexpert.com> jscrivener@ipexpert.com

  _____

From: Darby Weaver [mailto:ccie.weaver@gmail.com]
Sent: Wednesday, 28 January 2009 9:45 PM
To: Jared Scrivener
Cc: Sharma, Praveen; ccielab@groupstudy.com
Subject: Re: IEWB Lab13 Vol 2 - Task 7.1

Good point Jared! Scott confirms it later.

No ip unreachables was the first thing that comes to my mind too.

But what if were taken off the table.

And Cisco has published a book on the Control Plan Security - I'd guess it's
in our best interest to read it. I own it and have not yet. Ouch!

But it looks like Jared might have. Kudos!

On 1/28/09, Jared Scrivener <jscrivener@ipexpert.com> wrote:

Hey Praveen,

I'm not familiar with IE's labs, but generally if you see a reference to
"silently discarding packets" you are probably being directed to use
control-plane policing with the silent discard feature. This is enabled
automatically if you are using outbound control-plane policing.

Silent discarding is generally used to ensure that messages aren't being
sent back to the sender of denied packets. This is done to help avoid
network reconnaissance attacks.

Without seeing the specific question, that's the best suggestion I can
offer.

Cheers,

Jared Scrivener CCIE3 #16983 (R&S, Security, SP), CISSP
Technical Instructor - IPexpert, Inc.
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
Mailto: jscrivener@ipexpert.com

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Sharma, Praveen
Sent: Wednesday, 28 January 2009 4:17 PM
To: ccielab@groupstudy.com
Subject: IEWB Lab13 Vol 2 - Task 7.1

Hi GS,

I got confused with this statement in access-list example

"Silently Discard packet that denied".

To be more specific it is Vol II 4.1 Lab 13 7.1.

Thanks
Praveen

Blogs and organic groups at http://www.ccie.net

• Next message: Dale Shaw: "L2 QoS whine"
• Previous message: Jonny English: "Re: Bootcamps and Vendors"
• Maybe in reply to: Sharma, Praveen: "IEWB Lab13 Vol 2 - Task 7.1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:40 ARST