RE: Query CBAC implementation from Keith Barker on 2010-04-29 (Ccielab archives 04/2010)

From: Keith Barker <kbarker_at_ine.com>
Date: Thu, 29 Apr 2010 13:03:44 -0700

Vibs- I would also use the "description" keyword on the description, so
that it would be there for a proctor to see. :)

I didn't include the command in the example below. (meant to include it, but
didn't)

Best wishes,

Keith

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Keith Barker
Sent: Thursday, April 29, 2010 12:55 PM
To: 'Vibeesh S'; 'Cisco certification'
Subject: RE: Query CBAC implementation

Hello Vibs-

Great question. As you stated, as long as the traffic is inspected before
it hits the wire on S0/0/0 it should work.

So regarding the lab, if it was really ONLY those 2 interfaces, I would
consider how it may be graded.

Do they run traffic through, and measure results?
Do they use a show ip inspect all, and look at the results?
Do they look for the inspection rule applied to an interface?

In any case, make sure that the name of the inspection rule exactly matches
what was asked for, including case.

My opinion, if it was me in the lab today, I would do this:

R5(config)#int fa 0/0

R5(config-if)# I put the inspection rule ingress here and egress on
S0/0/0-so you would be sure to see it :)

R5(config-if)#ip inspect inspection-name1 in

R5(config-if)#int ser 0/0/0

R5(config-if)#ip inspect inspection-name1 out

R5(config-if)# I put the inspection rule egress here and ingress on Fa0/0-so
you would be sure to see it :)

That way, if a human actually does look at it, you are demonstrating that
you were covering your bases, and not fishing.

Best wishes,

Keith

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Vibeesh S
Sent: Thursday, April 29, 2010 6:39 AM
To: Cisco certification
Subject: Query CBAC implementation

Hi,

Assuming that I have router with the following interfaces

F0/0 ---- Router ---- S0/0/0

If I am configuring cbac for traffic going out of my lan to the internet

Is this

conf t
inte f0/0
ip inspect inspection-name1 in

the same desired implementation as

conf t
inter s0/0/0
ip inspect inspection-name1 out

If so, is configuring either one of them acceptable in the lab.
Or is there any limitation/practises

Thanks,
Vibs

Blogs and organic groups at http://www.ccie.net
Received on Thu Apr 29 2010 - 13:03:44 ART

This archive was generated by hypermail 2.2.0 : Sat May 01 2010 - 09:49:57 ART