I guess the reason I was adding TCP and UDP was so that in the log
messages i could see what TCP was dropped including the port and what
UDP was dropped including the port.
I didn't think they were redundant. Maybe I'm wrong.
Totally Understand the time constraint.
Brandon Carroll
Senior Instructor
Ascolta
606 120th Ave NE
D-201
Bellevue, Wa. 98056
ph.206-850-2384
[EMAIL PROTECTED]
http://www.ascolta.com
http://www.globalconfig.net
http://ccieprep.me
On Sep 9, 2008, at 2:12 PM, Black, Peter wrote:
Brandon,
I believe that when you include 'ip' in an access-list, it includes
all
protocols above layer 3 (tcp & udp). Therefore, adding the deny tcp
and
deny udp statements are redundant.
You shouldn't get 'dinged' for having extra statements in your
access-list, as long as all task requirements are met.
Having said that, a proctor might question your expert level of
knowledge if you add in those two redundant statements.
Just to satisfy your curiosity, add in a 'deny ip any any log'
statement
at the end of an acl, then try to telnet through the PIX/ASA. Make
sure
to turn on logging to the console at the debug level.... for example:
logging console debug
access-list infilter permit icmp any any
access-list infilter deny ip any any log
Even though you haven't added a 'deny tcp' statement, you should see
the
denial in the firewall's log.
In addition, time in the lab is very limited and you're under quite a
bit of pressure. I learned to avoid any unnecessary configurations.
The 'deny ip any any log' statement is enough for troubleshooting. By
the way... I WOULD definitely make sure to add that statement to every
access-list you do. It saved my bacon during the lab.
Peter Black, CCIE #20896 (Security)
Senior Network Security Engineer
CCSP, CCDP, CCNP, CEH, CHFI, ECSA, LPT, CCSE
Southern Utes Shared Services
970-563-5606
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Brandon
Carroll
Sent: Tuesday, September 09, 2008 12:38 PM
To: Cisco certification; [email protected]
Cc: [EMAIL PROTECTED]
Subject: [OSL | CCIE_Security] ACLs on the lab
Would the following be ok on the lab?
R5(config)#access-l 101 deny tcp any any range 1 65535 log
R5(config)#access-l 101 deny udp any any range 1 65535 log
R5(config)#access-l 101 deny ip any any log
I like to add it to the end of my ACLs so that I can catch any
protocols that I forget. Assuming the lab doesnt say anything
specific could I get dinged for having it?
Brandon Carroll
Senior Instructor
Ascolta
606 120th Ave NE
D-201
Bellevue, Wa. 98056
ph.206-850-2384
[EMAIL PROTECTED]
http://www.ascolta.com
http://www.globalconfig.net
http://ccieprep.me
