Pages

network cisco ccna gns3 certification arteq

network cisco ccna gns3 certification arteq
a network runs through it

Search insearchofthecert

Saturday, December 10, 2011

achille's lists...

i hate ACL's, firewalls, filters and especially window's stupid firewall...  as a network guy i figure it to be my sworn duty to allow access to the wire, to give john Q user  the unmitigated freedom of  byte exploration... a perfect world... of course it becomes evident that john Q user will eventually get himself or the network in some kind of trouble with this very freedom...  so we first open the door, then slam it shut...

the standard ACL is concerned with the source... not a lot of flexibility there...  however, standard acl's shine  when used with NAT for a quick, painless solution to get the private network users released into the wild...

extended and named acl's are another universe, providing more elegant examples of slamming the door on john Q user...

stepping back...  why are standard acl's best utilized nearest the destination, and extended acl's best utilized nearest the source, besides the fact that cisco and odom and lammle, et al, have been pounding this into our collective minds for years? processing and WAN overhead, that's why... stopping hitler at Munich, like Clemenza said...  filter that shit where it lives (extended) and block that shit before it gets in (standard)

filtering telnet is easy; just turn it off and use SSH and/or VPN instead...

disallowing ICMP onto your private network is another matter...

r2620_01(config)#ip access-list extended no_outside_pings
r2620_01(config-ext-nacl)#deny icmp any any echo log
r2620_01(config-ext-nacl)#permit ip any any
r2620_01(config-ext-nacl)#exit
r2620_01(config)#int s0/1
r2620_01(config-if)#ip access-group no_outside_pings in
r2620_01(config-if)#

then:


r2620_03#ping 10.0.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.30.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
r2620_03#


stardate log 2620_01:

r2620_01#
Dec 10 08:13:56.815: %SEC-6-IPACCESSLOGDP: list no_outside_pings denied icmp 10.
0.30.2 -> 10.0.30.1 (8/0), 5 packets
r2620_01#

but do yourself a favor... keep ping  alive on the LAN



Posted by arteq at Saturday, December 10, 2011
Labels: , , , , , , , , , , , , , ,

2 comments:

  1. AnonymousDecember 10, 2011 at 3:01 PM

    Hi Brian, Eddie here. Which Cisco exam would you say is relatively easy to study and pass? sfguy2 @ gmail . com

    ReplyDelete
  2. arteqDecember 11, 2011 at 3:33 AM

    none are easy... they used to call ccna an entry level cert years ago but that has obviously changed... a lot of folks start off with ccent, which is probably the way to go without equipment access... either way it's tough, you've got to study long and hard, and the questions are always tricky, even when you are very comfortable with the material...

    ReplyDelete

Subscribe to: Post Comments (Atom)