Re: Outside ACLs and ICMP from Bryan Bartik on 2009-07-24 (Ccielab archives 07/2009)

From: Bryan Bartik <bbartik_at_ipexpert.com>
Date: Fri, 24 Jul 2009 11:12:59 -0600

Evan, I think it will be clear what you need to allow. I had a lot of these
type of questions when I was in prep. The key is to know your options and
like Federico said, make sure you do allow what is needed.

On Fri, Jul 24, 2009 at 2:30 AM, Federico Cossu <federico.cossu_at_gmail.com>wrote:

> i think you should see what's happening on you outside interface,
> is RIP needed?
> is BGP needed?
> in these cases i've learnt that it's better to be as more strict as
> possibile,
> enabling only udp 520 and tcp 179 to come in from the outside. and
> nothing else, if not specified.
>
> /R
>
>
>
> 2009/7/24 Evan Weston <evan_weston_at_hotmail.com>:
> > Hi all,
> >
> >
> >
> > Does anyone have any thoughts on what you might do in the exam in a
> scenario
> > where you have to deny everything for a reflexive ACL or CBAC or
> whatever?
> >
> >
> >
> > I noticed in the CBAC examples on the DocCD they recommend the following:
> >
> >
> >
> > access-list 100 deny tcp any any
> >
> > access-list 100 deny udp any any
> >
> > access-list 100 permit icmp any any echo-reply
> >
> > access-list 100 permit icmp any any time-exceeded
> >
> > access-list 100 permit icmp any any packet-too-big
> >
> > access-list 100 permit icmp any any traceroute
> >
> > access-list 100 permit icmp any any unreachable
> >
> > access-list 100 deny ip any any
> >
> >
> >
> > Some vendor workbooks just go with something like this:
> >
> >
> >
> > ip access-list extended CBAC-IN
> >
> > permit icmp any any port-unreachable
> >
> > permit icmp any any time-exceeded
> >
> > permit eigrp any any
> >
> > deny ip any any log
> >
> >
> >
> > Would you lose points for having all the extra stuff the DocCD recommends
> if
> > not explicitly told to put it in?
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
>
> --
> Faeddare pagu, sabidorla meda.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Bryan Bartik
CCIE #23707 (R&S), CCNP
Sr. Support Engineer - IPexpert, Inc.
URL: http://www.IPexpert.com
Blogs and organic groups at http://www.ccie.net

Received on Fri Jul 24 2009 - 11:12:59 ART

This archive was generated by hypermail 2.2.0 : Sat Aug 01 2009 - 13:10:23 ART