Wednesday, September 22, 2010
Thursday, September 16, 2010
Applying a nonexistent access list to an interface in IOS
An interesting issue came up at work that puzzled me. I know from experience that if you configure an access list in IOS and there is no entry in it, it acts as an permit any...and once there is an ACE in the access list, the deny-by-default function begins. However, what if an access list that doesn't exist is applied to an interface? Does it deny or accept?
Wendell Odom indicated in one article that it might deny all traffic:
"Implicit deny at the end of every access-list. Check first if you have it applied somewhere (interface, NAT, protocol, ...), else you can block all traffic when you point to non-existent access list"
But that wasn't good enough for me. I had to know for sure. Fortunately I was on a 6500 and had the luxury of polling the tcam. Here is the scenario:
A dummy interface is configured and given a valid ingress access list and a nonexistent egress access list.
interface GigabitEthernet1/1
description dummy interface
ip address 10.10.10.9 255.255.255.248
ip access-group traffic_IN in
ip access-group traffic_OUT out
Let's see what happens.
Router#show tcam int gi1/1 acl out ip
* Global Defaults shared
Entries from Bank 0
permit ip any any (128 matches)
Entries from Bank 1
The TCAM is showing it is permitting all traffic - just like it would an empty access list. I am not saying Odom is incorrect. This is just the behavior on a 6500 running 12.2SX* code. Since 6500s handle access lists in the TCAM, it might accept whereas a software-based router (eg 7200) might deny. It is nice the 6500 has a means to show us this without really messing with the access list config and possibly contaminating the scene. In addition, a quick search will show you that, depending what you do with an access list, all sorts of different things can happen - in line with Odom's statement regarding NAT, protocols, etc.
Wendell Odom indicated in one article that it might deny all traffic:
"Implicit deny at the end of every access-list. Check first if you have it applied somewhere (interface, NAT, protocol, ...), else you can block all traffic when you point to non-existent access list"
But that wasn't good enough for me. I had to know for sure. Fortunately I was on a 6500 and had the luxury of polling the tcam. Here is the scenario:
A dummy interface is configured and given a valid ingress access list and a nonexistent egress access list.
interface GigabitEthernet1/1
description dummy interface
ip address 10.10.10.9 255.255.255.248
ip access-group traffic_IN in
ip access-group traffic_OUT out
Let's see what happens.
Router#show tcam int gi1/1 acl out ip
* Global Defaults shared
Entries from Bank 0
permit ip any any (128 matches)
Entries from Bank 1
The TCAM is showing it is permitting all traffic - just like it would an empty access list. I am not saying Odom is incorrect. This is just the behavior on a 6500 running 12.2SX* code. Since 6500s handle access lists in the TCAM, it might accept whereas a software-based router (eg 7200) might deny. It is nice the 6500 has a means to show us this without really messing with the access list config and possibly contaminating the scene. In addition, a quick search will show you that, depending what you do with an access list, all sorts of different things can happen - in line with Odom's statement regarding NAT, protocols, etc.
Tuesday, September 14, 2010
Windows 2008 free antivirus
I noticed that the PC Tools antivirus I have installed on my home Windows 2008 server was not updating. It appears I had 6.x installed and the most current version was 8.x so...my guess is they just stopped putting out definition updates. Not a problem but after uninstalling PC Tools AV 6.x and trying to install 8.x I ran into an error that killed the installation. This brought about a rehash of the 'how do I get free AV for my test server'. Keep in mind, it is a TEST server. I am not an enterprise trying to get around paying huge fees for a product that is almost never used. Of course, I ran into page after page after page of:
1) People saying to use PC Tools but the posts were from 2008 and referred to 6.x.
2) People saying to use another product that doesn't work on Server 2008 and probably never did.
3) People ignoring the OP and mentioning using an obviously paid product (eg McAfee, Norton)
4) Parking sites.
Then, I started testing (it is a test server, after all). After trying a few products, I found that Comodo AntiVirus works on W2k8. I even ran a full system scan and found only two items - UltraVNC (which is supposed to be there) and another similar remote control application installer.
1) People saying to use PC Tools but the posts were from 2008 and referred to 6.x.
2) People saying to use another product that doesn't work on Server 2008 and probably never did.
3) People ignoring the OP and mentioning using an obviously paid product (eg McAfee, Norton)
4) Parking sites.
Then, I started testing (it is a test server, after all). After trying a few products, I found that Comodo AntiVirus works on W2k8. I even ran a full system scan and found only two items - UltraVNC (which is supposed to be there) and another similar remote control application installer.
Friday, September 3, 2010
Collecting crash data on Juniper routers
Collect crash data on Juniper routers. Some interesting commands listed there and I suspect the document only scratches the surface of what you can do.
Subscribe to:
Posts (Atom)