Hey Winston,
You were thinking outside the box on this one however I think you would have
lost points.
The task specifically states that we need to "Secure VLAN 12 so that any router
added in the future will not be able to "see" EIGRP multicast packets "or" form
neighbor relationships with existing routers"
The key words here are "see" and "or" and your configs only satisfy half of
this requirement. I just labbed this one up using your configuration and then
added R4's interface to VLAN 12 (150.100.12.4/24) Since you are still allowing
150.100.12.1 and 150.100.12.2 to send multicasts to 224.0.0.10 new routers
coming online will be able to see these.
So bringing R4 online and running "debug ip packet" clearly shows that R1 and
R2 are sending multicast packets to 224.0.0.10
*Mar 3 12:17:20.089: IP: s=150.100.12.1 (FastEthernet0/0), d=224.0.0.10, len
60, rcvd 2
*Mar 3 12:17:21.261: IP: s=150.100.12.2 (FastEthernet0/0), d=224.0.0.10, len
60, rcvd 2
*Mar 3 12:17:25.069: IP: s=150.100.12.1 (FastEthernet0/0), d=224.0.0.10, len
60, rcvd 2
*Mar 3 12:17:26.029: IP: s=150.100.12.2 (FastEthernet0/0), d=224.0.0.10, len
60, rcvd 2
So while you may be able to stop neighbors from properly forming with your
configs, anyone on VLAN 12 will still be able to see the multicast traffic
destined to 224.0.0.10
HTH
Steve Di Bias
From: [email protected]
[mailto:[email protected]] On Behalf Of Winston Lee
Sent: Wednesday, October 20, 2010 7:05 PM
To: CCIE
Subject: [OSL | CCIE_RS] Vol 1 Lab 9 Task 9.19
Hello All,
9.19 Secure VLAN 12 so that any router added in the future will not be able to
see EIGRP multicast packets or form neighbor relationships with existing
routers.
The DSG proposes putting a VACL and use the neighbor command between R1 and R2
to accomplish this. I used a different method through a VACL alone and was
wondering if the way I did it was valid (would I have got points for this on
the lab)?
Cat3550-1#sh ip access-lists 101
Extended IP access list 101
10 deny eigrp host 150.100.12.1 host 224.0.0.10 (68 matches)
20 deny eigrp host 150.100.12.2 host 224.0.0.10 (31 matches)
30 permit eigrp any host 224.0.0.10
Cat3550-1#sh vlan access-map NOEIGRP
Vlan access-map "NOEIGRP" 10
Match clauses:
ip address: 101
Action:
drop
Vlan access-map "NOEIGRP" 20
Match clauses:
Action:
forward
Cat3550-1#sh run | i filter
vlan filter NOEIGRP vlan-list 12
UHS Confidentiality Notice: This e-mail message, including any attachments, is
for the sole use of the intended recipient (s) and may contain confidential and
privileged information. Any unauthorized review, use, disclosure or
distribution of this information is prohibited. If this was sent to you in
error, please notify the sender by reply e-mail and destroy all copies of the
original message._______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
