Great explanation Steve--makes complete sense NOW. I'm beginning to see that the questions, while straight forward, require you to really sit down and examine the full context of what they are asking. Thanks for taking a look at this.
________________________________ From: "Di Bias, Steve" <[email protected]> To: Winston Lee <[email protected]>; CCIE <[email protected]> Sent: Wed, October 20, 2010 10:52:08 PM Subject: RE: [OSL | CCIE_RS] Vol 1 Lab 9 Task 9.19 Hey Winston, You were thinking outside the box on this one however I think you would have lost points. The task specifically states that we need to “Secure VLAN 12 so that any router added in the future will not be able to “see” EIGRP multicast packets “or” form neighbor relationships with existing routers” The key words here are “see” and “or” and your configs only satisfy half of this requirement. I just labbed this one up using your configuration and then added R4’s interface to VLAN 12 (150.100.12.4/24) Since you are still allowing 150.100.12.1 and 150.100.12.2 to send multicasts to 224.0.0.10 new routers coming online will be able to see these. So bringing R4 online and running “debug ip packet” clearly shows that R1 and R2 are sending multicast packets to 224.0.0.10 *Mar 3 12:17:20.089: IP: s=150.100.12.1 (FastEthernet0/0), d=224.0.0.10, len 60, rcvd 2 *Mar 3 12:17:21.261: IP: s=150.100.12.2 (FastEthernet0/0), d=224.0.0.10, len 60, rcvd 2 *Mar 3 12:17:25.069: IP: s=150.100.12.1 (FastEthernet0/0), d=224.0.0.10, len 60, rcvd 2 *Mar 3 12:17:26.029: IP: s=150.100.12.2 (FastEthernet0/0), d=224.0.0.10, len 60, rcvd 2 So while you may be able to stop neighbors from properly forming with your configs, anyone on VLAN 12 will still be able to see the multicast traffic destined to 224.0.0.10 HTH Steve Di Bias From:[email protected] [mailto:[email protected]] On Behalf Of Winston Lee Sent: Wednesday, October 20, 2010 7:05 PM To: CCIE Subject: [OSL | CCIE_RS] Vol 1 Lab 9 Task 9.19 Hello All, 9.19 Secure VLAN 12 so that any router added in the future will not be able to see EIGRP multicast packets or form neighbor relationships with existing routers. The DSG proposes putting a VACL and use the neighbor command between R1 and R2 to accomplish this. I used a different method through a VACL alone and was wondering if the way I did it was valid (would I have got points for this on the lab)? Cat3550-1#sh ip access-lists 101 Extended IP access list 101 10 deny eigrp host 150.100.12.1 host 224.0.0.10 (68 matches) 20 deny eigrp host 150.100.12.2 host 224.0.0.10 (31 matches) 30 permit eigrp any host 224.0.0.10 Cat3550-1#sh vlan access-map NOEIGRP Vlan access-map "NOEIGRP" 10 Match clauses: ip address: 101 Action: drop Vlan access-map "NOEIGRP" 20 Match clauses: Action: forward Cat3550-1#sh run | i filter vlan filter NOEIGRP vlan-list 12 UHS Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this information is prohibited, and may be punishable by law. If this was sent to you in error, please notify the sender by reply e-mail and destroy all copies of the original message.
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
