Without reading the lab specifics I can tell you what I would do: If a task asked me to config NTP (or some other protocol) between devices and later asked me to add an ACL where it could break things I would make sure I built the ACL to allow the protocol. If the grading script is looking for an NTP association and doesn't see it you don't get the points for NTP.
On Mon, Jul 4, 2011 at 10:19 AM, Alef <[email protected]> wrote: > It only states that bgp,eigrp, ospf and ripv2 are pre-configured on the > routers. > in any case, my KISS acl should do the trick as well? > but i guess you're correct, it is a security lab > > PS is it me or is the ip they are using for Cat3 in 34.4 legacy traffic > control wrong? > > they use 9.9.156.13 but cat3 does not have an interface in the subnet? > should it not be 9.2.13.13 ? > > in addition, why is the statement > 190 permit tcp any 10.0.255.0 0.0.0.255 established > > used after evaluate REF-ACL? > > i know it has to do with reflective acl's but why this network? > > On Jul 4, 2011, at 2:21 PM, Jay Taylor wrote: > > Somewhere in that lab I remember it stating a requirement that BGP and NTP > must be functional throughout the topology. Why would you want simple acls > in a security lab? ;) > > > On Mon, Jul 4, 2011 at 7:59 AM, Alef <[email protected]> wrote: > >> Hi Guys, >> In this task, why is so much effort put into writing such an acl? >> >> is it not easier to just do >> >> deny IN-FILTER WEB-MAINT >> deny IN-FILTER WEB-MAINT >> permit ip any any >> >> ? It does not state anywhere that it is not allowed to pass any other >> traffic. But in this example great effort is made to permit ntp and bgp >> peerings, it seems a hassle to me ? >> >> The other thing is, why is >> >> ip access-list extended WEB_SERVER >> deny tcp host 9.9.156.2 host 10.10.45.4 <-- done ? >> >> In my video it says that this is because we do not want the ACS server to >> be checked by tcp intercept, and this is the translated address, but that's >> not true? In the previous task we translated the ACS server to 9.2.1.100, as >> per the book task. 9.9.156.2 is the interface address of R2, namely >> gi0/1.1256 >> >> rgds, >> Alef >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > > > > -- > > Jay Taylor > CCIE #28391 > @JTIE_6EE7 > > > > -- Jay Taylor CCIE #28391 @JTIE_6EE7 _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
