I just got a message from my friend, he took exam in last week and got H2+, he said with me in section 4.1, Cisco was asked as below:
Configure the network as per the following requirements:
Protect R17s control-plane from TTL expiry attacks so that match IP packets with a TTL of 0 or 1 are dropped before the CPU processes them.
Legit packets include expected control protocols running on the link.
Not allowed to configure deny statement.
Any I deal about this situation? Please share.
alanhcisco (01-01-2019) , aloha (04-16-2018) , ccie2018 (04-15-2018) , ccienexus2 (01-19-2020) , cuonghd (08-21-2018) , flont (05-15-2019) , linlinoo (05-09-2018) , MiDfiN (02-03-2019) , ramtongauler (04-15-2018) , Robin (04-15-2018) , teencross (04-30-2018) , Zynof (11-06-2019)
That is my solution for this variationOriginally Posted by Nobita
**Hidden Content: Thanks to see the content**
2015ccierns (10-20-2018) , 4ng3l0v (01-14-2020) , aaa1234567 (01-09-2019) , aeio (01-28-2019) , alanhcisco (01-01-2019) , Alena (04-23-2018) , alfredsuman (02-29-2020) , aliomdur90 (06-02-2018) , aloha (04-16-2018) , alsmith5 (05-13-2018) , archstanton (12-04-2018) , arisgr0 (05-12-2018) , asa3rgcrgc (07-01-2018) , aslan (02-19-2019) , ASN373 (02-15-2019) , auieo (11-19-2018) , aygi (09-01-2018) , backhoefade (11-18-2018) , badfishyu (09-23-2018) , baolong.aka (07-22-2019) , bars (11-24-2018) , bbbank (02-15-2019) , beece2003 (07-04-2018) , BGP123 (10-19-2018) , BittLover (04-12-2019) , blackmoondevil (08-22-2018) , bluebox (02-12-2019) , bodyaero (01-05-2019) , Braulio (02-21-2020) , brightsyds (04-20-2019) , c2ccie (01-03-2019) , cazac (07-23-2018) , ccie nov2017 (04-16-2018) , ccie#58xxx (09-15-2018) , CCIE-BAH (05-02-2018) , ccie2018 (04-15-2018) , ccie4c (07-28-2019) , ccie5611 (03-14-2019) , CCIEAsp (10-08-2019) , cciechapa (08-22-2018) , cciedream1 (04-30-2018) , ccieieie (03-21-2019) , cciej (01-10-2020) , cciemaster01 (04-22-2019) , ccienexus2 (01-19-2020) , ccierscisco (04-15-2018) , cciestm (09-24-2018) , cciestub (04-26-2018) , cciewannabe1 (07-27-2018) , cert (05-12-2018) , chinawanet (04-15-2018) , cisco456 (07-31-2018) , CiscoCCDE (04-15-2018) , crypto (08-29-2019) , cuonghd (08-21-2018) , cyg725 (01-11-2019) , daiduong1506 (02-05-2020) , Daniel Deye (04-27-2018) , DDMONEY (05-21-2018) , dnull (01-13-2020) , dtm77 (04-25-2018) , dund1212 (01-02-2019) , erdab01 (11-29-2018) , f0ck3r7331 (04-12-2019) , farahatzahran (06-20-2019) , fazerque (01-13-2020) , firas81 (07-26-2019) , fishlike (05-12-2018) , flemmingbond (06-03-2018) , flont (05-15-2019) , freak413 (12-25-2018) , freebsd321 (08-22-2018) , Geronimo (04-16-2018) , gesu12 (02-24-2020) , gkakade007 (01-15-2019) , Gravity (04-16-2018) , GuiltyVerdict (08-06-2018) , gulab (04-15-2018) , gunza2016 (08-21-2018) , hach (03-18-2019) , happiman (03-13-2019) , Harry (10-30-2018) , hien3050 (04-17-2018) , himaali (06-20-2018) , hlbienhoa (07-21-2018) , Hottpants (02-10-2019) , Hunter (05-17-2018) , iasonasc (04-22-2019) , ictengineer (08-21-2018) , irfanismail (03-03-2019) , is0210966 (04-26-2019) , IStudy (08-04-2019) , jacacajuy (05-18-2019) , jahanzebmalic (04-01-2019) , James (04-16-2018) , jbmr16 (02-03-2020) , Jeff79 (05-10-2018) , jeffval8 (05-12-2018) , jimart_a (09-04-2018) , JimmyLO89 (02-21-2019) , johnhooser (01-17-2020) , Johnsnow (08-15-2019) , johnspain (01-01-2019) , jotasan (11-18-2018) , jpfu02 (10-02-2018) , jumarldomingo (07-18-2018) , jumpmasterguy (10-31-2018) , junomu22 (02-09-2019) , justlyk (07-27-2019) , kaien1997 (02-15-2019) , kalu (05-12-2018) , kayraenvr (04-21-2018) , kbone (08-23-2018) , kevin1016 (12-05-2018) , Killer04 (10-12-2019) , kkkttt (01-28-2019) , kokiengineer (07-13-2018) , konuremrah35 (02-18-2019) , labfail (02-20-2019) , lantien (08-20-2018) , lkomocar (05-30-2018) , lmanzotin (07-30-2019) , maan4 (09-25-2018) , maga81 (09-26-2018) , mahmood.mazin87 (07-27-2019) , mandrews (04-20-2019) , marsooq (05-12-2018) , mavutani101@gmail.com (08-21-2018) , maw (04-23-2018) , max09 (09-15-2018) , mctarro (04-16-2018) , medeagold (11-22-2018) , MiDfiN (02-14-2019) , misiekk (07-02-2018) , mistyccie (09-10-2018) , mosmos (09-19-2018) , mrlee (02-18-2019) , mudassair (10-20-2018) , mustafamahdy (10-23-2018) , Myash (10-09-2018) , MYCCIENETWORK (08-15-2019) , MZIJohn (01-27-2019) , naonaih (09-22-2019) , Nexus (04-21-2018) , nhuyphoninh (04-16-2018) , nickster36b (04-24-2018) , ninjja (05-07-2018) , Nobita (04-15-2018) , nyaramaro2 (03-13-2019) , ohead (04-20-2019) , online2ccie (05-20-2018) , orowp (08-23-2018) , osensoy (01-30-2019) , Packet (02-08-2019) , paganfci (09-22-2018) , Papashango (08-22-2018) , passccie18@gmail.com (01-11-2019) , pfccie (10-22-2018) , ping li (08-11-2019) , prakruthi.11 (01-15-2020) , proctoryon (10-24-2018) , punpun (08-22-2018) , pygez (10-31-2018) , Raf888 (05-06-2019) , ramtongauler (04-15-2018) , raptoriks (08-25-2018) , raymond2k (03-05-2020) , rbi1 (05-14-2019) , rocchino75 (02-10-2019) , rockme25 (02-18-2019) , ronaldlee1607 (07-18-2018) , rskys (02-15-2019) , sandviper (02-21-2019) , sashans (06-25-2018) , saven (07-18-2019) , sayyod (01-17-2019) , Seungjae92 (10-21-2018) , Sh157517 (10-14-2018) , Shantyboy (10-17-2019) , shaq090 (09-30-2018) , Shareit (09-26-2018) , shikima (01-04-2019) , shortbread (12-12-2019) , siteoforigin (09-17-2018) , sphinxxx (05-17-2018) , srinu1704 (02-14-2020) , starling (11-17-2018) , storkille79 (10-21-2018) , suiryuu96 (02-10-2020) , superfingers (10-02-2019) , switch123 (02-16-2019) , swrong (09-21-2018) , syutou (04-16-2018) , szczuros (02-11-2019) , t1630502 (04-23-2019) , Taurus.x85 (05-12-2018) , teencross (04-30-2018) , telecom1987 (09-13-2019) , thainc (07-02-2019) , thitguy118 (06-03-2018) , tidus85 (08-26-2018) , tlogms (02-06-2019) , triplecapacity (07-28-2019) , ulduld84 (02-21-2019) , umar11891 (01-01-2019) , wataru (08-21-2018) , Werby (03-29-2019) , yassin88 (12-25-2018) , yiya (04-16-2018) , yjp58 (10-29-2018) , yummjour (07-19-2019) , YunkoEnoshima (03-12-2019) , Yurukinai (01-01-2019) , zureta232 (12-23-2018) , Zynof (11-06-2019)
Thanks, any ideals if Cisco ask: Not allowed to configure “permit” statement
some guys just mentioned about this statement. but from my view, I don't think: there is a solution for this statement. anyone have ideal about this case?
cciemaster01 (04-22-2019) , MiDfiN (02-14-2019)
Thanks for sharing
Thanks for solution.
bars (11-24-2018) , cciemaster01 (04-22-2019) , ibrahimoweis (06-01-2019) , Killer04 (10-12-2019) , max09 (09-15-2018) , MiDfiN (02-14-2019)
thanks for sharing
you need to add the following in TTL1
permit udp any any
otherwise the any traceroute from the spokes (R19,20,21) to the rest of the network will show the following in the traceroute output
1. * * *
i think it is more accurate to add the port range:
ip access-list extended PASS-TTL
permit ospf any any
permit tcp any any eq bgp
permit tcp any eq bgp any
permit pim any any
permit esp any any
permit gre any any
permit udp any any eq 500
permit udp any any eq 4500
perm udp any any ra 33434 33534 <-- for traceroute
!
thanks for sharing
brightsyds (04-20-2019)
Posting Permissions
Reply With Quote