Other simple way to test this-- instead of creating vlan 12 interface on R4 just shut down the fa0/0 on R1 and change the ip address to 150.100.12.4 and bring it back. you neighbor relation ship will be formed with R2 with your access-list as you have only denied 150.100.12.1 in you access-list. That is why DSG solution is corrrect to add the neighbot command . other wise other router will be able to form neighbor relation ship.
On Wed, Oct 20, 2010 at 8:52 PM, Di Bias, Steve <[email protected]>wrote: > Hey Winston, > > > > You were thinking outside the box on this one however I think you would > have lost points. > > > > The task specifically states that we need to “Secure VLAN 12 so that any > router added in the future will not be able to “see” EIGRP multicast packets > “or” form neighbor relationships with existing routers” > > > > The key words here are “see” and “or” and your configs only satisfy half of > this requirement. I just labbed this one up using your configuration and > then added R4’s interface to VLAN 12 (150.100.12.4/24) Since you are still > allowing 150.100.12.1 and 150.100.12.2 to send multicasts to 224.0.0.10 new > routers coming online will be able to see these. > > > > So bringing R4 online and running “debug ip packet” clearly shows that R1 > and R2 are sending multicast packets to 224.0.0.10 > > > > *Mar 3 12:17:20.089: IP: s=150.100.12.1 (FastEthernet0/0), d=224.0.0.10, > len 60, rcvd 2 > > *Mar 3 12:17:21.261: IP: s=150.100.12.2 (FastEthernet0/0), d=224.0.0.10, > len 60, rcvd 2 > > *Mar 3 12:17:25.069: IP: s=150.100.12.1 (FastEthernet0/0), d=224.0.0.10, > len 60, rcvd 2 > > *Mar 3 12:17:26.029: IP: s=150.100.12.2 (FastEthernet0/0), d=224.0.0.10, > len 60, rcvd 2 > > > > So while you may be able to stop neighbors from properly forming with your > configs, anyone on VLAN 12 will still be able to see the multicast traffic > destined to 224.0.0.10 > > > > HTH > > > > Steve Di Bias > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Winston Lee > *Sent:* Wednesday, October 20, 2010 7:05 PM > *To:* CCIE > *Subject:* [OSL | CCIE_RS] Vol 1 Lab 9 Task 9.19 > > > > Hello All, > > 9.19 Secure VLAN 12 so that any router added in the future will not be able > to see EIGRP multicast packets or form neighbor relationships with existing > routers. > > The DSG proposes putting a VACL and use the neighbor command between R1 and > R2 to accomplish this. I used a different method through a VACL alone and > was wondering if the way I did it was valid (would I have got points for > this on the lab)? > > > Cat3550-1#sh ip access-lists 101 > Extended IP access list 101 > 10 deny eigrp host 150.100.12.1 host 224.0.0.10 (68 matches) > 20 deny eigrp host 150.100.12.2 host 224.0.0.10 (31 matches) > 30 permit eigrp any host 224.0.0.10 > > Cat3550-1#sh vlan access-map NOEIGRP > Vlan access-map "NOEIGRP" 10 > Match clauses: > ip address: 101 > Action: > drop > Vlan access-map "NOEIGRP" 20 > Match clauses: > Action: > forward > > Cat3550-1#sh run | i filter > vlan filter NOEIGRP vlan-list 12 > > > > > > UHS Confidentiality Notice: This e-mail message, including any attachments, > is for the sole use of the intended recipient(s) and may contain > confidential and privileged information. Any unauthorized review, use, > disclosure or distribution of this information is prohibited, and may be > punishable by law. If this was sent to you in error, please notify the > sender by reply e-mail and destroy all copies of the original message. > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
