|
|
| gigem94 2004-03-19, 4:42 pm |
| Gteetings all, I need some help on this one. I have just finished barely bombing the ICND test, and one of the simulator questions was about disabling the ability to ping a router interface via an access list. It suggests to do it in 3 lines or less and tells you which interface to apply it to. I think that I did it correctly but need some validation to be sure.
rtrA-s0---------s1-rtrB-s0-------s1-rtrC
e0
Here is the scenario; hopefully the text graphic came thru. but if not here is the description. Three routers in succession, A, B, C, each connected serially with each other. Furhter, each has an ethernet interface for another network. The objective is to deny any ping activity to the left most router (A) serial interface while allowing all other traffic through. FYI, you can telnet to A and C respectively from a host on each e0.
My config was to do the following:
access-list 101 deny icmp any any
access-list 101 permit ip any any
then apply this on s0 interface:
ip access-group 101 in
I looked at the run config and everything appeared fine, so I saved it to NVRAM. Then I telnetted to rtrC and tried to ping the s0 interface of rtrA and it came back successful.
So, what gives??? Are my ACL's right or do they need some modification? Any other advice would be helpful.
Thanks in advance for the input. | |
| JohnnyBeGood 2004-03-19, 5:38 pm |
| I had the same question on my exam and I missed it too. However I am ready for it should I get it again. | |
| smrkdown 2004-03-20, 8:26 pm |
| You don't want to use the keyword "any" as the destination address or you will not only deny ping requests to the router but also ping requests to any host or router beyond that interface. Use the router's interfaces' IP addresses as the destination. That is why they allow up to three lines for the access-list. One line per router interface and a permit any any at the end such as:
access-list 110 deny icmp any host 172.16.1.1
access-list 110 deny icmp any host 172.16.1.2
access-list 110 permit ip any any
You'd then apply the list to the router's interfaces for inbound traffic.
This should meet the requirements of that question. | |
| gigem94 2004-03-21, 9:37 pm |
| Thanks smrkdown. I also had done some research suggesting that I might use echo and/or echo-reply appended to the acl entries. Do those need to be there too or can I leave those off an still achieve what is being asked? | |
| smrkdown 2004-03-22, 10:13 am |
| I tried it on my routers and denying the whole ICMP protocol effectively stops ping activity. I doubt the exam would be as in-depth as to deny specific things like echo and echo reply but I'm not sure. I also think it'd be hard to make the access-list under three lines doing it that way. | |
| JohnnyBeGood 2004-03-22, 10:36 am |
| You are thinking along the right lines gigem. ICMP includes other things such as traceroute that the question may or may not be asking to block. | |
| gigem94 2004-03-22, 10:50 am |
| Good point JBG. I know that the echo request and echo reply are the two parts to ping that they are looking to stop. With that in mind then, is echo the correct syntax for the echo request part and is echo-reply the correct syntax for the replies? I only have the boson netsim lite which as you might know only allows you to do about 10% of the functionality before asking you to upgrade for $250 bones. I do not want to drop that kind of change on something that I will not use that much. Personally I'd rather contribute that to the purchase of a used router, but since I am unemployed right now, that is not the wisest area to spend the cash  | |
| smrkdown 2004-03-22, 12:21 pm |
| Yup. echo would deny the requests from another host or router and echo-reply would deny echo replies (like if you ping out from the router, the replies that come back would be denied). I'd spend the 250 dollars on a small lab. I got two 2501 routers, DCE/DTE crossover cables and transceivers for around that price off of ebay. |
|
|
|