640 811 cli simulator question 2

[miles33]

I took the 640 811 ICND exam the other day and failed because of the simulator question.

The scenario is that of three routers and you are asked to write an ACL ( in 3 lines ) which will block all ping traffic to one of the routers; so i tried the following:

router>enable
router#config t
router(config)#access-list 101 deny tcp any host 192.168.179.2 eq icmp

the simulator would not accept this and placed the chevron under the ip address, which is the ip address pf the serial interface of the router. I tried using the ip address of the ethernet interface with the same result, and also tried using 0.0.0.0 255.255.255.255 instead of any.

Anybody got any ideas about what i may be doing wrong because this simulator question seems to come up pretty regularly and I want to make sure that I pass next time.

Thanks miles

 

[Antelope]

Tried the command on my router and this is what I get:


B(config)#access-list 101 deny tcp any host 172.21.179.2 eq icmp ^
Invalid input detected at '^' marker.


It puts the ^ at icmp

 

[dogbert2]

The reason why this command fails is that TCP and ICMP are two separate protocols, the way it should look is:

access-list 101 deny icmp any host 192.168.179.2 eq echo
access-list 101 deny icmp any host 192.168.179.2 eq echo-reply
access-list 101 permit icmp any host 192.168.179.2

The first two lines block echo and echo-reply (which ping
works on), and the 3rd line allows in the rest of the
ICMP traffic to 192.168.179.2

Bill

 

[hauchinango]

I think you do not need the eq echo at the end, rather just the echo....Try it on a router to see. Example:

access-list 101 deny icmp any host 192.168.179.2 echo
access-list 101 deny icmp any host 192.168.199.2 echo
permit ip any any

Also, the question is asking to block all ping traffic to the router.......if you just apply to the serial interface, icmp would still be allowed from any host on the ethernet segment.

I don't think you would need the last line of dogbert2's ACL because you are only denying ping, not the entire ICMP suite. I think you need a permit ip any any is needed at the end

Just my 2 cents

 

[hauchinango]

On second thought.....

access-list 101 deny icmp any any echo
access-list 101 deny icmp any any echo-reply
permit ip any any

I think this is right

 

[hauchinango]

Third time is the charm...

access-list101 deny icmp any 192.168.179.2 0.0.0.0 echo
access-list101 deny icmp any 192.168.199.2 0.0.0.0 echo
permit ip any any

 

[Lundah]

I had a similar question get me on my attempt this morning (scored 804 wiht 849 as passing). However, the sim I had stated the objective was to block ping access to a router from all users EXCEPT those on a directly connected Ethernet interface. There were 6 subnets; 192.168.52.0, 192.168.53.0, 192.168.54.0, 192.168.55.0, and 192.168.57.0. The .57.0 subnet was the allowed LAN, with the Serial interface on the router having an IP of 192.168.55.2. After spending 20 minutes trying to figure out a mask string that would deny all but the .57.0 subnet, I wound up going on to the next question due to time constraints. After the test I went back to my lab setup and figured out that the following is what I should have entered:
access-list 101 permit icmp 192.168.57.0 0.0.0.255 eq echo
access-list 101 deny icmp any any eq echo
access-list 101 permit ip any any

 

[rigsville]

miles33 - I had EXACTLY the same problem - Ok I was entering the command wrong but because the '^' pointed at the IP address I thought that the IP address was incorrect.

What was wrong in my case was the 'eq' at the end of the line - even though the '^' pointed at the IP address.

After the exam I tested this command on a physical router and it put the '^' in the correct place i.e. under the 'eq' statement

As far as I can see it is a problem with the simulator, when you enter an incorrect command it just displays a standard worded Invalid input detected at '^' marker error message but does not display the correct position of the '^' - this is actually displayed on the line above on a real router.

It was anoying because I spent over 30 mins on that question.

Also I was told to treat the simulations in the exam as if it was a real router (copy run start etc.) but is it only fair that the sim behaves like a real router.

 

[Lundah]

My theory on this is that since there's many different ways to achive the end result required for the sim, they build the simulator to throw odd errors back at you to point you in the right direction.

 

[hauchinango]

Also...don't forget to apply to interface(s)

 

[Lundah]

I've done quite a bit of reading/experimenting on this one, it's tricky since there's several ways to get the desired result, but only one correct answer for the test. I have concluded that the correct answer would be:

access-list 100 deny icmp any host (destination IP)
access-list 100 permit icmp any any
access-list 100 permit ip any any

Then apply it inbound to the serial interface of the router they want to block the ping traffic from. So if it were S0, it would be:
ip access-group 100 in

I'm retaking tomorrow, hopefully I have it right this time. Of course I'll probably get a different sim this time.

 

[hauchinango]

Lundah,

I too have done a lot of research on this and agree that there may be more than one way to accomplish this.

Please keep us posted on your exam today...

 

[Lundah]

Missed it by 1 question, 837 was my score. This was my 5th attempt at the ICND test after passing the INTRO on the first try. I had this sim again (I think ACL is the only sim that shows up on the ICND). This time it was the car dealership scenario, but I think I nailed it. The router they wanted ping traffic blocked from was called Sedan and E0 was 192.168.130.1, S0 was 192.168.131.1. So I set up my ACL as follows (after some trial and error):

access-list 100 deny icmp any 192.168.130.1 0.0.0.0
access-list 100 deny icmp any 192.168.131.1 0.0.0.0
access-list 100 permit ip any any

And I applied it to the inbound side of S0 as follows:
Sedan(config-if)# ip access-group 100 in

Any ideas if I got this right? Kind of scratching my head over why I failed again.

 

[hauchinango]

Sorry to hear you came so close.

I too had the car dealership question. I did not pass on my first attempt, but will retry tomorrow. (passed intro on first attempt as well)

The Sim question I had said , if I recall, "to implement an access list to deny ping detection to the Sedan router, but allow all other traffic to pass thru. The access list should contain no more than three line."

My only thoughts as to why you may have missed this is
1. you did not specify echo at the end of the access list
2. you only applied to the Serial port. I may have read into the question more than I should, but I feel if you truly want to prohibit ping detection, you must also do so on the ethernet interface. Your access list contains the address for the ethernet interface, but you didn't apply to that interface....

Let me know what you think

 

[Lundah]

Well I couldn't specify echo at the end of the ACL lines, when I added "eq echo" at the end of the line I got a popup window saying that command was not supported on this IOS version (I think that's just Cisco's way of pointing you to the correct way to do it).

But you may be right on applying it to both the E0 and S0 interfaces, just checked the corresponding sim on celticrover.com and it said the same thing. The part that confuses me is where they say they want ping traffic blocked "from any other network", which I take to assume that the directly connected LAN on the Sedan router should be allowed; which is why I didn't apply the ACL to the E0 interface.

 

[hauchinango]

Hmmmm....

Try the command on a real router and you do not have to type EQ echo.....just echo.

example:
access-list 100 deny icmp any 192.168.130.1 0.0.0.0 echo

Also, if you didn't want to prohibit the ping from the E0 network, why did you put it in the access list?

Very tricky wording on this, I can see how it could be taken to allow from the E0 network.

 

[Lundah]

I added the E0 IP partly because it's still a pingable interface on the Sedan router (altho if the ACL is set up properly on S0 it won't pass anyway), and partly to get my ACL to be exactly 3 lines long.

 

[Greenice]

The problem with your access list is that you are blocking ALL the different type of ICMP messages that exist; TTL exceeded, port unreachable, source quench, etc, etc, and ping ofcourse. Now, I'm assuming that the question requires that you only block ping. But, there are two types of ping messages, an echo request, and an echo reply. To block both would mean that the router is prevented from pinging any other hosts - since the echo replies would be blocked on their way back. So, the question may require that you only block the requests. To do that, you would do something like

access-list 100 deny icmp any 192.168.130.1 0.0.0.0 echo
access-list 100 deny icmp any 192.168.131.1 0.0.0.0 echo
access-list 100 permit ip any any

The 'echo' parameter refers to requests, whereas 'echo-reply' is for replies, no doubt.

That's my take on the question. See what other people think.

Better luck next time.

 

[hauchinango]

I'd have to agree with Greenice...now if I can just figure out if they want to deny the LAN interface ping I would be fine.

 

[geirendre]

This all sounds werry similar to a ACL-sim I got when I took my ICND last summer. Only that in my case the task was to deny TELNET .
Check tread 473-809468