Extended ACL question 2.

satishtech

Router(config-ext-nacl)#deny icmp host 192.168.10.1 host 192.168.20.2 ?
<0-256> type-num
echo Echo (ping)
echo-reply Echo reply
host-unreachable Host unreachable
net-unreachable Net unreachable
port-unreachable Port unreachable
protocol-unreachable Protocol unreachable
ttl-exceeded TTL exceeded
unreachable All unreachables
<cr>


so many options , I understand I would only use echo .When would I use the others ?
protocol-unreachable ?

_Gonzalo_

First of all, echo and echo reply are kind of a pack. When you ping, you send an echo and receive an echo reply if the echo sent gets to the host. So you´d better consider both for successful pings.

All the others are other sort of messages. For instance, host unreachable is a different reply to ping, when the host could not be reached and therefore no echo reply sent. If you deny host-unreachable, you will not get those kind of replies, only lost pings by timeouts.

Those options could be divided in unreachable (whatever the reason) and ttl expired.

Why would you want to block/permit a specific one? I can´t think of a reason, beyond not wanting to have that extra information available...

satishtech

should I remember all of the options for ccent...?

maybe the reason the options are there to filter/block/control access
to a host , thwart hackers or pen testers ?
so many options gives fine granular control.I think this would be
for the security experts.

TechGuru80

I do not remember the CCENT covering more than the basic options of configuring an ACL.

_Gonzalo_

satishtech wrote: »

should I remember all of the options for ccent...?

It is good that you know how this works, especially echo and echo reply... But that´s it.

I never took CCENT myself... But I can tell you that I never needed that knowledge for CCNA or CCNP, so you´ll be OK, I believe