I would have thought your solution was good until I read how Steve explained it. Interpreting lab tasks is one of my biggest weaknesses.
On Thu, Oct 21, 2010 at 10:09 AM, Winston Lee <[email protected]>wrote: > Great explanation Steve--makes complete sense NOW. I'm beginning to see > that the questions, while straight forward, require you to really sit down > and examine the full context of what they are asking. Thanks for taking a > look at this. > > ------------------------------ > *From:* "Di Bias, Steve" <[email protected]> > *To:* Winston Lee <[email protected]>; CCIE < > [email protected]> > *Sent:* Wed, October 20, 2010 10:52:08 PM > *Subject:* RE: [OSL | CCIE_RS] Vol 1 Lab 9 Task 9.19 > > Hey Winston, > > > > You were thinking outside the box on this one however I think you would > have lost points. > > > > The task specifically states that we need to “Secure VLAN 12 so that any > router added in the future will not be able to “see” EIGRP multicast packets > “or” form neighbor relationships with existing routers” > > > > The key words here are “see” and “or” and your configs only satisfy half of > this requirement. I just labbed this one up using your configuration and > then added R4’s interface to VLAN 12 (150.100.12.4/24) Since you are still > allowing 150.100.12.1 and 150.100.12.2 to send multicasts to 224.0.0.10 new > routers coming online will be able to see these. > > > > So bringing R4 online and running “debug ip packet” clearly shows that R1 > and R2 are sending multicast packets to 224.0.0.10 > > > > *Mar 3 12:17:20.089: IP: s=150.100.12.1 (FastEthernet0/0), d=224.0.0.10, > len 60, rcvd 2 > > *Mar 3 12:17:21.261: IP: s=150.100.12.2 (FastEthernet0/0), d=224.0.0.10, > len 60, rcvd 2 > > *Mar 3 12:17:25.069: IP: s=150.100.12.1 (FastEthernet0/0), d=224.0.0.10, > len 60, rcvd 2 > > *Mar 3 12:17:26.029: IP: s=150.100.12.2 (FastEthernet0/0), d=224.0.0.10, > len 60, rcvd 2 > > > > So while you may be able to stop neighbors from properly forming with your > configs, anyone on VLAN 12 will still be able to see the multicast traffic > destined to 224.0.0.10 > > > > HTH > > > > Steve Di Bias > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Winston Lee > *Sent:* Wednesday, October 20, 2010 7:05 PM > *To:* CCIE > *Subject:* [OSL | CCIE_RS] Vol 1 Lab 9 Task 9.19 > > > > Hello All, > > 9.19 Secure VLAN 12 so that any router added in the future will not be able > to see EIGRP multicast packets or form neighbor relationships with existing > routers. > > The DSG proposes putting a VACL and use the neighbor command between R1 and > R2 to accomplish this. I used a different method through a VACL alone and > was wondering if the way I did it was valid (would I have got points for > this on the lab)? > > > Cat3550-1#sh ip access-lists 101 > Extended IP access list 101 > 10 deny eigrp host 150.100.12.1 host 224.0.0.10 (68 matches) > 20 deny eigrp host 150.100.12.2 host 224.0.0.10 (31 matches) > 30 permit eigrp any host 224.0.0.10 > > Cat3550-1#sh vlan access-map NOEIGRP > Vlan access-map "NOEIGRP" 10 > Match clauses: > ip address: 101 > Action: > drop > Vlan access-map "NOEIGRP" 20 > Match clauses: > Action: > forward > > Cat3550-1#sh run | i filter > vlan filter NOEIGRP vlan-list 12 > > > > > > UHS Confidentiality Notice: This e-mail message, including any attachments, > is for the sole use of the intended recipient(s) and may contain > confidential and privileged information. Any unauthorized review, use, > disclosure or distribution of this information is prohibited, and may be > punishable by law. If this was sent to you in error, please notify the > sender by reply e-mail and destroy all copies of the original message. > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
