Re: acl and request meanings from Lindsay Hill on 2012-09-09 (Ccielab archives 09/2012)

From: Lindsay Hill <lindsay.k.hill_at_gmail.com>
Date: Sun, 9 Sep 2012 19:27:52 +1200

Question 1/
If asked to permit all traffic "to" router R1, I would only be specifying R1's IP addresses as the destination. I wouldn't be specifying whole subnets. If you do, you'll be allowing more traffic, potentially to other devices on those subnets.

It could depend a little on phrasing/context, but I think that in this case that "FOR" R1 would be the same as "TO" R1. Do you have some specific practice lab questions, where you want us to help you understand the meaning?

Question 2 - this is probably what they want:
int f0/0
no ip unreachables

Just for kicks, try setting up an ACL to drop traffic on a router, and do a ping that would transit the router. Notice the output? Then try it again, with "no ip unreachables", and notice the change in output.

On 9/09/2012, at 7:13 PM, ccie99999 <ccie99999_at_gmail.com> wrote:

> Hi guys,
>
> in your opinion.. If I'm asked to permit all IP traffic **FOR** router R1..
> is it different from permitting all IP traffic **TO** router R1?
>
> if there is a difference I would go for:
>
> access-list 100 permit ip any any --> for first case.. **FOR**
>
> access-list 100 permit ip any x.x.x.x x.x.x.x (where x.x.x.x is subnets
> owned by R1) --> second case... *** TO ***
>
> does this make sense or not at all?
>
> question 2:
>
> if I'm asked to deny all icmp unreachable messages what would you do?
> there are 5 unreachable option using icmp messages..
>
> according to my test 'unreachable' should be good enough.. or at least is
> the only one that matches my acl..
>
> Extended IP access list 190
> 10 deny icmp any any port-unreachable log
> 20 deny icmp any any protocol-unreachable log
> 25 deny icmp any any net-unreachable
> 30 deny icmp any any unreachable log (6 matches)
> 40 deny icmp any any host-unreachable log
> 50 permit ip any any (24 matches)
>
> thanks in advance for your support.
>
>
> --
> @ccie99999
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sun Sep 09 2012 - 19:27:52 ART

This archive was generated by hypermail 2.2.0 : Mon Oct 01 2012 - 06:40:29 ART