i think you should see what's happening on you outside interface,
is RIP needed?
is BGP needed?
in these cases i've learnt that it's better to be as more strict as possibile,
enabling only udp 520 and tcp 179 to come in from the outside. and
nothing else, if not specified.
/R
2009/7/24 Evan Weston <evan_weston_at_hotmail.com>:
> Hi all,
>
>
>
> Does anyone have any thoughts on what you might do in the exam in a scenario
> where you have to deny everything for a reflexive ACL or CBAC or whatever?
>
>
>
> I noticed in the CBAC examples on the DocCD they recommend the following:
>
>
>
> access-list 100 deny tcp any any
>
> access-list 100 deny udp any any
>
> access-list 100 permit icmp any any echo-reply
>
> access-list 100 permit icmp any any time-exceeded
>
> access-list 100 permit icmp any any packet-too-big
>
> access-list 100 permit icmp any any traceroute
>
> access-list 100 permit icmp any any unreachable
>
> access-list 100 deny ip any any
>
>
>
> Some vendor workbooks just go with something like this:
>
>
>
> ip access-list extended CBAC-IN
>
> permit icmp any any port-unreachable
>
> permit icmp any any time-exceeded
>
> permit eigrp any any
>
> deny ip any any log
>
>
>
> Would you lose points for having all the extra stuff the DocCD recommends if
> not explicitly told to put it in?
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- Faeddare pagu, sabidorla meda. Blogs and organic groups at http://www.ccie.netReceived on Fri Jul 24 2009 - 10:30:47 ART
This archive was generated by hypermail 2.2.0 : Sat Aug 01 2009 - 13:10:23 ART