Very Computer

This is ambiguous, since each does not refer to the other, and either
behaviour (if I do both, does ICMP Host Unreachable get sent?) fits
the documentation.

To further complicate things, there is NO WAY (really really weird)
to delete an access-list entry or re-order them.  So I need to do it
right the first time, with not even a testing opportunity (so therefore
asking in advance is essential).  The documentation even says there
is no way (although I have not read it all yet, clearly if there turns
out to be a hidden way, that's a contradiction).

Fortunately, I don't need to do really sophisticated IP packet filtering
at the 2501 since the inside subnet goes on through another filter router
before reaching our network, and this subnet between them is considered
to be our DMZ part of the firewall.  But this does knock out any chance
of replacing that 2nd router (a Livingston IRX that has reached its limit)
with a 2514 unless the documentation turns out to be wrong (I can hope,
and this is not without reason since I've seen many products in the
computer and network field with grossly incorrect documentation).

The UniverCD I have is "Vol. 1, No. 2 Rev. BO".  The one cool thing about
is it that I could install it under a web server and read it elsewhere.
--
Phil Howard KA9WGN      +-------------------------------------------------+
Unix/Internet/Sys Admin |    When freedom is outlawed....                 |
CLR/Fast-Tax            |            ....only outlaws will be free!       |

Quote:> To further complicate things, there is NO WAY (really really weird)
> to delete an access-list entry or re-order them.  So I need to do it
> right the first time, with not even a testing opportunity (so therefore
> asking in advance is essential).  The documentation even says there
> is no way (although I have not read it all yet, clearly if there turns
> out to be a hidden way, that's a contradiction).

NO ACCESS-LIST 101

followed by all your

ACCESS-LIST 101 ...

lines.

Just keep editing them, and from the router suck in the new version
using CONFIG NET each time. That initial NO... kills the current
one and the following lines puts the new version in place.

Very fast and very simple.

Quote:> In the UniverCD, "no ip unreachables" says it will not send the ICMP
> Host Unreachable if there is no route found for the address.  But the
> access-list indicates it would be sent if the packet is denied.

> This is ambiguous, since each does not refer to the other, and either
> behaviour (if I do both, does ICMP Host Unreachable get sent?) fits
> the documentation.

"This command affects all kinds of ICMP unreachable messages."

Quote:

> To further complicate things, there is NO WAY (really really weird)
> to delete an access-list entry or re-order them.  So I need to do it
> right the first time, with not even a testing opportunity (so therefore
> asking in advance is essential).  The documentation even says there
> is no way (although I have not read it all yet, clearly if there turns
> out to be a hidden way, that's a contradiction).

!
! Temporarily remove access lists from appropriate interfaces
! to prevent the implicit deny from cutting us off from the tftp
! server while loading the new list.
!
int <xxx>
no ip access-group <aaa> [in/out]
int <yyy>
no ip access-group <aaa> [in/out]
!
! Delete old list and load new one
!
no access-list <aaa>
access-list <aaa>  ...
access-list <aaa>  ... (etc.)
!
! Reestablish access-lists
!
int <xxx>
ip access-group <aaa> [in/out]
int <yyy>
ip access-group <aaa> [in/out]
end

Quote:

> Fortunately, I don't need to do really sophisticated IP packet filtering
> at the 2501 since the inside subnet goes on through another filter router
> before reaching our network, and this subnet between them is considered
> to be our DMZ part of the firewall.  But this does knock out any chance
> of replacing that 2nd router (a Livingston IRX that has reached its limit)
> with a 2514 unless the documentation turns out to be wrong (I can hope,
> and this is not without reason since I've seen many products in the
> computer and network field with grossly incorrect documentation).

> The UniverCD I have is "Vol. 1, No. 2 Rev. BO".  The one cool thing about
> is it that I could install it under a web server and read it elsewhere.

Greg

Obviously, unreachables generated by having no route are not the same.

Maybe cisco people can shed light on whether or not the no unreachables
option also works for type 13 administratively denied packets.

/cah

----

Communications Engineer                 Fax:   (408) 428-8513
Electronic Data Systems / Pyramid Technology Corporation
Mail Stop SJ1-1-107, 3860 North First Street, San Jose, CA 95134

   Maybe cisco people can shed light on whether or not the no unreachables
   option also works for type 13 administratively denied packets.

Yes, access list violations will not generate administrative unreachables
if you disable unreachables on that interface.

Tony