Printable View
I just got a message from my friend, he took exam in last week and got H2+, he said with me in section 4.1, Cisco was asked as below:
Configure the network as per the following requirements:
Protect R17s control-plane from TTL expiry attacks so that match IP packets with a TTL of 0 or 1 are dropped before the CPU processes them.
Legit packets include expected control protocols running on the link.
Not allowed to configure deny statement.
Any I deal about this situation? Please share.
That is my solution for this variationQuote:
Originally Posted by Nobita
**Hidden Content: Thanks to see the content**
Thank for sharing.
Thanks, any ideals if Cisco ask: Not allowed to configure “permit” statementQuote:
Originally Posted by Robin
some guys just mentioned about this statement. but from my view, I don't think: there is a solution for this statement. anyone have ideal about this case?Quote:
Originally Posted by Nobita
Thanks for sharing
Thanks for sharing
Thanks for solution.Quote:
Originally Posted by Robin
thanks for sharing
Thanks for solution. !!
Thank for sharing.
thanks for the info
Looks correct; thanks for the info.
Thanks !
On H2. on Merging section. Do we need to go for LOCAL-AS Option towards the RR - R1 ? So we need to delete and create the BGP with new process ID (like we do in H2+)?
you need to add the following in TTL1
permit udp any any
otherwise the any traceroute from the spokes (R19,20,21) to the rest of the network will show the following in the traceroute output
1. * * *
if the output asks you to have (65001 65001) then use the as-override in the PE routers.
if the output asks you to have (65001 65002) then use the allowas-in in the CE routers.
thanks for sharing
"Thanks!"Quote:
Originally Posted by Robin
i think it is more accurate to add the port range:
ip access-list extended PASS-TTL
permit ospf any any
permit tcp any any eq bgp
permit tcp any eq bgp any
permit pim any any
permit esp any any
permit gre any any
permit udp any any eq 500
permit udp any any eq 4500
perm udp any any ra 33434 33534 <-- for traceroute
!
Looks correct; thanks for the info.
Thank you for sharing m8.
...............................
[QUOTE=Robin;179]That is my solution for this variation
***Hidden content cannot be quoted.***[/kindly or grateful thoughts : GRATITUDEQUOTE]
""
think it is more accurate to add the port range:
ip access-list extended PASS-TTL
permit ospf any any
permit tcp any any eq bgp
permit tcp any eq bgp any
permit pim any any
permit esp any any
permit gre any any
permit udp any any eq 500
permit udp any any eq 4500
perm udp any any ra 33434 33534 <-- for traceroute
Thanks for sharing this solution here. It is exactly what I was looking for recently. And I have failed to find proper information on the Internet until I came to this forum. Where are you from? I am from https://worldcams.tv/united-states/n...k/times-square . When I have more free time, I will definitely return to this forum to look through all other threads.
Thanks! That's a lot of help