IRC Logs

Network: freenode Channel: #cisco

	Enter your search terms Submit search form
	Web www.irclog.org

[00:00]<msxjv>well, I should say, typically.. actually have had a few jobs where they were pretty short and sweet and to the point
[00:00]<msxjv>and others where the desktop support lady droned on about installing new virus definitions and printing problems
[00:00]<bsdrgdjg>http://rafb.net/paste/results/YIBbuQ52.html
[00:01]<msxjv>public IPs perhaps of the DHCP servers and private in the ACL?
[00:02]<msxjv>I don't know
[00:02]<gndyvx>I am going to talk about MPLS core, QoS, or RTBH
[00:02]<gndyvx>woo
[00:02]<gndyvx>just confuse my team, they'll think i am busy
[00:02]<bsdrgdjg>but why are the nameserver ips given to me used as dhcp ips in the acl?
[00:02]<msxjv>RTBH, not clicking
[00:02]<gndyvx>more time for IRC
[00:02]<gndyvx>remote triggered black holeing
[00:03]<msxjv>oh, is that customer-driven blackholing?
[00:03]<gndyvx>yes it is like that
[00:03]<gndyvx>customer driven uses routes with communities
[00:03]<gndyvx>i'll just use static routes with tags
[00:03]<gndyvx>but on the end they do the same thing
[00:03]<gndyvx>and this will be for an IT network
[00:04]<dzzc1livn>hey
[00:04]<dzzc1livn>nemith,
[00:04]<dzzc1livn>sup
[00:04]<msxjv>BSDaemon: maybe it's been wrong all along or something, who knows
[00:05]<bsdrgdjg>well if it was wrong, i would think nobodys dns or dhcp would work
[00:05]<gndyvx>hey Dark3LIte
[00:08]<bsdrgdjg>k. dns queries are udp, are responses udp as well?
[00:10]<gndyvx>they are not always udp
[00:10]<gndyvx>do you listen to be?
[00:10]<gndyvx>er me
[00:11]<gndyvx>anyway, yes
[00:11]<bsdrgdjg>well the acls here are all udp
[00:11]<bsdrgdjg>so im using udp
[00:11]<bsdrgdjg>eq bootps and eq domain for the replies?
[00:12]<bsdrgdjg>http://rafb.net/paste/results/GwWPWD34.html look right? i want all traffic blocked, but dns and dhcp to work.
[00:12]<gndyvx>not nessarily
[00:13]<gndyvx>BSDaemon: you do have acls in both directions
[00:13]<bsdrgdjg>i do on mine yes
[00:13]<gndyvx>soruce port != dest port
[00:13]<bsdrgdjg>k
[00:14]<bsdrgdjg>so drop the eq part
[00:14]<gndyvx>why do you need both directions/
[00:14]<bsdrgdjg>how else will the replies get through?
[00:15]<gndyvx>well usually one has a trusted side and a untrusted side
[00:15]<gndyvx>you acl from the untrusted network into the trusted network
[00:15]<gndyvx>and allow everthing going the opposite way
[00:16]<bsdrgdjg>i dont want any traffic in or out of this vlan, other then dns and dhcp. nothing.
[00:16]<bsdrgdjg>http://rafb.net/paste/results/Yc79Bm32.html
[00:16]<bsdrgdjg>look right?
[00:16]<gndyvx>why?
[00:17]<bsdrgdjg>because thats what i want.
[00:17]<fjzvxnz-wjzc>nemith: i would generally agree with you. i dislike egress filtering for more than simple traffic -- say, denying the latest IIS exploit access back out on the intarwebs on port 5233 or whatever.
[00:17]<bsdrgdjg>this is a subnet that nothing should get in or out.
[00:17]<bsdrgdjg>of
[00:17]<gndyvx>yeah, i do do ingress filtering, but just block what i want and aloow the rest
[00:18]<bsdrgdjg>i am
[00:18]<gndyvx>BSDaemon: you have it backwards
[00:18]<gndyvx>oh never mind
[00:18]<bsdrgdjg>how
[00:18]<gndyvx>i guess that will work
[00:18]<bsdrgdjg>k good
[00:18]<bsdrgdjg>i have no idea what that is
[00:19]<bsdrgdjg>so im doing it the way everything else is done
[00:19]<gndyvx>and if you are asking for acl help, i don't even want to explain it
[00:19]<bsdrgdjg>sounds good
[00:19]<gndyvx>VRF is a virtual routing table
[00:19]<bsdrgdjg>its not really acls i need help with, its that i dont know dns or dhcp and how they affect access lists.
[00:20]<pzt00>what is AToM?
[00:20]<gndyvx>whatever, to late to save yourself
[00:20]<gndyvx>fr500: any transport over MPLS
[00:20]<bsdrgdjg>save myself from what?
[00:20]<gndyvx>BSDaemon: the imbarrasment of not knowing acls
[00:20]<bsdrgdjg>oh thats okay, i already know i know acls
[00:20]<bsdrgdjg>so thats not an issue.
[00:21]<bsdrgdjg>this is the first time ive ever had to use dhcp or dns in an acl though
[00:22]<bsdrgdjg>I wonder why i get connection refused to switches from my computer, but not my other computer.... odd.
[00:23]<bsdrgdjg>meh, ill just hop from one to the other :P
[00:23]<pzt00>BSDaemon: ACLs are the same regardles of the protocol
[00:24]<pzt00>BSDaemon: you could have an acl on the VTYs denying traffic from one ip or subnet or something
[00:25]<pzt00>nemith: with any transport, does that mean a transport layer protocol?
[00:25]<bsdrgdjg>fr500: yes they are. I'm quite aware.
[00:26]<gndyvx>fr500: no it means ethernet, atm, frame, etc can be transported over a mpls backbone
[00:27]<gndyvx>so layer 2
[00:27]<pzt00>ok
[00:27]<gndyvx>you can see the power of this
[00:28]<gndyvx>I can now have an IP backbone running over many kinds of media, and provide ATM or frame to my existing customers
[00:28]<pzt00>O O
[00:28]<gndyvx>instead of having a seperate frame cloud and a seperate atm cloud
[00:28]<gndyvx>PPP and HDLC are also two avalible
[00:29]<msxjv>I won't lie, I know ACLs quite well and have been fucked by CBAC a lot
[00:29]<bsdrgdjg>i know how to write an acl, i just havent had to much before.
[00:30]<gndyvx>fucked by cbac?
[00:30]<gndyvx>cbac has saved my life
[00:30]<bsdrgdjg>and i dont know dns and dhcp very well, so i dont know what was required to allow queries and responses
[00:30]<msxjv>yeah, things that should work and just don't
[00:30]<msxjv>bugs
[00:30]<gndyvx>indeed
[00:30]<msxjv>yeah, CBAC is great, just the bugs.. oh the bugs when you hit them they murder you ;(
[00:30]<gndyvx>cbac is a little too nazi sometimes, we had a app that was sending a PSH flag and CBAC didn't like that
[00:30]<msxjv>haha
[00:30]<pzt00>BSDaemon: i would do an ACL that permits only dns and dhcp traffic, then filter all the rest of tcp or udp traffic, and then permit ip traffic, all that in the internal side
[00:30]<gndyvx>it was the apps fault

Back to #cisco
Or go to some related logs:
#netbsd
#gentoo
#ubuntu
#gentoo
#debian