Extended ACL question 2.
satishtech
Member Posts: 243
in CCNA & CCENT
Router(config-ext-nacl)#deny icmp host 192.168.10.1 host 192.168.20.2 ?
<0-256> type-num
echo Echo (ping)
echo-reply Echo reply
host-unreachable Host unreachable
net-unreachable Net unreachable
port-unreachable Port unreachable
protocol-unreachable Protocol unreachable
ttl-exceeded TTL exceeded
unreachable All unreachables
<cr>
so many options , I understand I would only use echo .When would I use the others ?
protocol-unreachable ?
<0-256> type-num
echo Echo (ping)
echo-reply Echo reply
host-unreachable Host unreachable
net-unreachable Net unreachable
port-unreachable Port unreachable
protocol-unreachable Protocol unreachable
ttl-exceeded TTL exceeded
unreachable All unreachables
<cr>
so many options , I understand I would only use echo .When would I use the others ?
protocol-unreachable ?
Comments
-
_Gonzalo_ Member Posts: 113First of all, echo and echo reply are kind of a pack. When you ping, you send an echo and receive an echo reply if the echo sent gets to the host. So you´d better consider both for successful pings.
All the others are other sort of messages. For instance, host unreachable is a different reply to ping, when the host could not be reached and therefore no echo reply sent. If you deny host-unreachable, you will not get those kind of replies, only lost pings by timeouts.
Those options could be divided in unreachable (whatever the reason) and ttl expired.
Why would you want to block/permit a specific one? I can´t think of a reason, beyond not wanting to have that extra information available... -
satishtech Member Posts: 243should I remember all of the options for ccent...?
maybe the reason the options are there to filter/block/control access
to a host , thwart hackers or pen testers ?
so many options gives fine granular control.I think this would be
for the security experts. -
TechGuru80 Member Posts: 1,539 ■■■■■■□□□□I do not remember the CCENT covering more than the basic options of configuring an ACL.
-
_Gonzalo_ Member Posts: 113satishtech wrote: »should I remember all of the options for ccent...?
It is good that you know how this works, especially echo and echo reply... But that´s it.
I never took CCENT myself... But I can tell you that I never needed that knowledge for CCNA or CCNP, so you´ll be OK, I believe