640 811 cli simulator question 2

[miles33]

I took the 640 811 ICND exam the other day and failed because of the simulator question.

The scenario is that of three routers and you are asked to write an ACL ( in 3 lines ) which will block all ping traffic to one of the routers; so i tried the following:

router>enable
router#config t
router(config)#access-list 101 deny tcp any host 192.168.179.2 eq icmp

the simulator would not accept this and placed the chevron under the ip address, which is the ip address pf the serial interface of the router. I tried using the ip address of the ethernet interface with the same result, and also tried using 0.0.0.0 255.255.255.255 instead of any.

Anybody got any ideas about what i may be doing wrong because this simulator question seems to come up pretty regularly and I want to make sure that I pass next time.

Thanks miles

 

[Greenice]

Hauchinago,

If the intent of the question is to protect the router from unsolicited pings, then ignoring the LAN interface would fall short of a complete answer. So I'm guessing that you would need to. Plus, from what I can gather, the question appears to ask for 3 lines - to remove that line would leave you with only 2.

I'll be sitting the combined CCNA next week some time. I might be granted the opportunity to test my answer to this question.

Cheers.

 

[hauchinango]

Good luck next week. I am testing today, so will keep you posted on the results.

 

[Lundah]

Greenice,
I've seen two different versions of this sim. First one is the car dealer scenario we have been talking about, which states the objective is to deny detection of the router using ping from "any other network". The other is a music company (router names are Jazz, Classical, and Pop), and the instructions mention something about denying ping to cut down on router load. So for the music scenario, I would agree that you would place the ACL at both the S0 and E0 interface, but I'm not so sure about the car dealer scenario.

 

[Greenice]

Lundah,

Well, with the car dealership scenario, if you do not block pings from the e0 interface then a host from an outside network can ping that interface and detect the router. Just because that interface doesn't face the outside world, doesn't mean that it can't be pinged from the outside world.

I tested this scenario in my home lab and discovered that when I ping the router interfaces, the router would return an ICMP network unreachable message. The pings weren't timing out as I expected. To prevent the router from sending the unreachable, I had to issue a 'no ip unreachable' command on the incoming interface. Now it's working as expected - the pings are timing out and the router is effectively invisible. For the exam, I expect that placing the ACL is sufficient - I doubt they would require you to prevent the unreachables.

Cheers.

 

[Cluebird]

I suggest you look not at blocking the echo but at blocking the echo-reply. If you block the echo-reply, the pings fail.

Router(config)#access-list 101 deny icmp any host 192.168.130.1 echo-reply
Router(config)#access-list 101 deny icmp any host 192.168.131.1 echo-reply
Router(config)#access-list 101 permit ip any any
Router(config)#int s0
Router(config-if)#ip access-group 101 out
Router(config-if)#end
Router#copy running-config startup-config

 

[Greenice]

Cluebird,

That approach wouldn't work in this scenario, because packets that originate from a router are not filtered by an outgoing ACL. The ping responses in this case would originate from the router, so I don't think that would work.

Cheers.

 

[hauchinango]

Took the exam Friday and passed.

Lundah, email me hauchinango@yahoo.com

 

[Lundah]

I'm going to be retaking again in the next week or so (attempt #6 at the ICND, last time I scored 837). So if anyone has a definitive answer to this one, it would be greatly appreciated. I know how to make it do what the question asks, but I'm not sure it's the correct answer for the test.

 

[Lundah]

I've done quite a bit of research on this one. I know from experience that the sim doesn't let you use the "echo" tag at the end of the line. So the only feasible answer to this is to deny the whole ICMP protocol stack from any host to the interface IP address, and apply it inbound on the interface closest to the source (in this case, S1). I've seen 4-5 references that agree with this.

So I botched it up on my last attempt by also applying it on the E0 interface. I'm re-taking on Thursday (attempt #6 at the ICND), wish me luck.

 

[hauchinango]

Lundah,

Let us know how you did

 

[LloydSev]

You have to remember that you must ALLOW the network it is asking you to allow before you deny the other networks.

Computer/Network Technician
CCNA

 

[Lundah]

Well at least for now it's a moot point for me, I passed with a 906 this morning, and my sim question was a basic troubleshooting problem (missing "network" statments in a RIP environment).

 

[LloydSev]

Well I just know that for most people going for their CCNA, ACLs are the hardest part..

at the end of every access-list is an implicit deny all statement, and they work in order of rules.. so without a permit statement BEFORE the deny statement, you aren't allowing the icmp protocol to the network.

Computer/Network Technician
CCNA

 

[Lundah]

That much I was comfortable with. What threw me the first couple of times was getting the deny statements right to block only echo packets. After I got that down I put it on the wrong interface.

 

[LloydSev]

Understandable.. I was never very comfortable with ACLs until I began using the PIX devices.. where ACLs are the main function of the device.

Computer/Network Technician
CCNA

 

[Lundah]

The toughest information for me to absorb was the routing protocols. My background is mostly TDM and voice, with some LAN switching thrown in. Any IP routing I ever worked with was always someone else's problem; I just had to get the packets to the router.