ACL usage: Direction of traffic

September 24, 2008 at 1:53 pm | In Blogroll | Leave a Comment

Lab13, Task 7.1

I sometimes made stupid mistakes, e.g. when doing this task, where I overlook the directions of ACL.

Tips to avoid stupid mistakes

- Read questions carefully

- Use common sense. DoS are usually exploited by sending ICMP echo from OUTSIDE, and other ICMP responses (e.g. port unreachables, time-exceeded) generated from INSIDE.

Task requirement:

Configure R3’s interface E0/1 and R4’s interface E0/0 to reflect the following policy:

  • Deny inbound all ICMP echo (type 8) packets.
  • Deny outbound all ICMP time exceeded and port unreachable packets to stop traceroute ‘replies’.
  • Silently discard packets that are denied.
  • Log all denied packets.

Solution:
interface Ethernet0/1
ip access-group FILTER_IN in
ip access-group FILTER_OUT out
no ip unreachables
!
ip access-list extended FILTER_IN
deny icmp any any echo log
permit ip any any
!
ip access-list extended FILTER_OUT
deny icmp any any time-exceeded log
deny icmp any any port-unreachable log
permit ip any any

Where is GRE located in DOC CD?

September 24, 2008 at 10:55 am | In Lab tips | Leave a Comment

It’s located under

  • Configuration Guide
  • System Management
  • Cisco IOS Interface and Hardware Component Configuration Guide, Release 12.4
  • Part 4: Tunnels

Some common features are “easy to navigate” like Virtual Link, where you know exactly it’s under Routing -> OSPF, or DHCP is under IP addressing Scheme.

GRE location is not obvious. My first thought is that it might be under Routing -> Protocol Independent, or IP Addressing, but both are not correct. For uncommon features like this, I usually stop “search arround” after two or three tries. My approach is go back to the Master Index, and search for keyword, relating to this feature. More specifically

Cisco IOS Master Command List, Release 12.4
Look for one of these commands
- tunnel source
- tunnel destination,
- or tunnel mode

All these commands are located in
Cisco IOS Interface and Hardware Component Command Reference

Now we know that GRE is located under these main topic, and we can go back to the configuration guide, and navigate under this main topic for GRE, as listed at the beginning of this post. Here’s again:

  • Configuration Guide
  • System Management
  • Cisco IOS Interface and Hardware Component Configuration Guide, Release 12.4
  • Part 4: Tunnels

Blog at WordPress.com. | Theme: Pool by Borja Fernandez.
Entries and comments feeds.