Re: acl and request meanings

Hi Lindsay,

thanks for your help.

About question 1: yes.. I would permit traffic only to specific /32 of the
router.. not whole subnets.. I was wrong.

About question 2: I know the use of ip unreachable in the interface
configuration but I was obliged to use to filter by an acl..
Doing ping to an unreachable network and using an acl for matching the
traffic I got this result:

> Extended IP access list 190
> 10 deny icmp any any port-unreachable log
> 20 deny icmp any any protocol-unreachable log
> 25 deny icmp any any net-unreachable
> 30 deny icmp any any unreachable log (6 matches)
> 40 deny icmp any any host-unreachable log
> 50 permit ip any any (24 matches)

therefore I guess I can answer to myself.. right command to use is simply
'unreachable'

thanks

On Sun, Sep 9, 2012 at 7:27 AM, Lindsay Hill <lindsay.k.hill_at_gmail.com>wrote:

> Question 1/
> If asked to permit all traffic "to" router R1, I would only be specifying
> R1's IP addresses as the destination. I wouldn't be specifying whole
> subnets. If you do, you'll be allowing more traffic, potentially to other
> devices on those subnets.
>
> It could depend a little on phrasing/context, but I think that in this
> case that "FOR" R1 would be the same as "TO" R1. Do you have some specific
> practice lab questions, where you want us to help you understand the
> meaning?
>
>
> Question 2 - this is probably what they want:
> int f0/0
> no ip unreachables
>
> Just for kicks, try setting up an ACL to drop traffic on a router, and do
> a ping that would transit the router. Notice the output? Then try it again,
> with "no ip unreachables", and notice the change in output.
>
>
> On 9/09/2012, at 7:13 PM, ccie99999 <ccie99999_at_gmail.com> wrote:
>
> > Hi guys,
> >
> > in your opinion.. If I'm asked to permit all IP traffic **FOR** router
> R1..
> > is it different from permitting all IP traffic **TO** router R1?
> >
> > if there is a difference I would go for:
> >
> > access-list 100 permit ip any any --> for first case.. **FOR**
> >
> > access-list 100 permit ip any x.x.x.x x.x.x.x (where x.x.x.x is subnets
> > owned by R1) --> second case... *** TO ***
> >
> > does this make sense or not at all?
> >
> > question 2:
> >
> > if I'm asked to deny all icmp unreachable messages what would you do?
> > there are 5 unreachable option using icmp messages..
> >
> > according to my test 'unreachable' should be good enough.. or at least is
> > the only one that matches my acl..
> >
> > Extended IP access list 190
> > 10 deny icmp any any port-unreachable log
> > 20 deny icmp any any protocol-unreachable log
> > 25 deny icmp any any net-unreachable
> > 30 deny icmp any any unreachable log (6 matches)
> > 40 deny icmp any any host-unreachable log
> > 50 permit ip any any (24 matches)
> >
> > thanks in advance for your support.
> >
> >
> > --
> > @ccie99999
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
>
>

-- 
@ccie99999
Blogs and organic groups at http://www.ccie.net