You don't have to put the log at the end of you deny statement, this is purely
optional. As a best practice however using the log on your deny statements is a
good idea because it sends an informational logging message about the packet
that matches the entry to be sent to the console, buffer, and or syslog server.
The router will know that the traffic originated on the F0/0 LAN because that's
where you applied your CBAC and access-list configurations. Basically what you
are saying is that any TCP, UDP, and ICMP traffic that comes in from F0/0
should be inspected and inserted into the state table, this will allow the
return traffic that matches to be allowed back to F0/0 (e.g. traffic that
originated on the F0/0 LAN)
The access-list you created (101) is saying that OSPF traffic should be
permitted (so you don't break other routing) but to deny the 100.100.200.0/24
which will no longer be advertised as a network in OSPF, the permit IP any any
is self explanatory.
HTH
Steve Di Bias
________________________________
From: [email protected]
[mailto:[email protected]] On Behalf Of Amer Mustafa
Sent: Wednesday, October 20, 2010 9:24 AM
To: [email protected]
Subject: [OSL | CCIE_RS] Workbook 1 Task 17.3
Workbook 1 Task 17.3
This is about CBAC, i need a clearificaiton here for the statment : access-list
101 deny ip any 100.100.200.0 0.0.0.255 log , what is the role of | Log | and
if this statment is denying any traffic destined 100.100.200.0, how the router
will allow it if its orignated from F0/0.
I know my question is kinda silly and i am missing a major concept here but i
need to know the answer.
Command line is :
ip inspect name R8Task3 tcp router-traffic
ip inspect name R8Task3 tcp router-traffic
ip inspect name R8Task3 icmp router-traffic
access-list 101 permit ospf any any
access-list 101 deny ip any 100.100.200.0 0.0.0.255 log
access-list 101 permit ip any any
interface fas0/0
ip inspect R8Task3 in
ip access-group 101 out
regards ...
Amer
UHS Confidentiality Notice: This e-mail message, including any attachments, is
for the sole use of the intended recipient (s) and may contain confidential and
privileged information. Any unauthorized review, use, disclosure or
distribution of this information is prohibited. If this was sent to you in
error, please notify the sender by reply e-mail and destroy all copies of the
original message.
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
