6.4 Control Plane Protection

Couple questions

1. The SG show to change the "logging buffered and logging console" to informational.  Would it not also be correct to leave the default which is debugging?

2. Also isnt the logging on and no logging monitor a bit of overkill?

3. I was unable to generate the denial logs according to the SG, see my results below:

Rack26R6#traceroute 150.26.1.1 ttl 1 10

Type escape sequence to abort.
Tracing the route to 150.26.1.1

  1 183.26.46.4 [MPLS: Label 20 Exp 0] 92 msec 92 msec 96 msec
  2 183.26.0.5 [MPLS: Label 20 Exp 0] 84 msec 64 msec 60 msec
  3 183.26.105.10 36 msec 32 msec 36 msec
  4 183.26.107.7 36 msec 36 msec 32 msec
  5 183.26.17.1 40 msec *  32 msec

Comments

  • Hi,

       1. By default, console and monitor are enabled at debugging level, while buffer and syslog are disabled. You are being asked to log ACL hits to console and buffer. This means you need to enable at least informational logging at console and buffer. You might need clarifications if you need to be restrictive, so set it to informational, or you can be relaxed and put it to debugging. But remember, that per default buffer logging is disabled.

       2. Logging is on by default anyways, and it is need to disable monitor logging as the task requires it;pay attention it is not specifically asked you have to deduce it.

      3. It is a small error in the verification part which ahs been fixed with the upcoming Vol2 updates. Basically you need to do a traceroute towards a destination that is IP switched not MPLS switched; all loopbacks,because of the MPLS task, will be MPLS switched and not match on your ACL :) try any other destination which is not MPLS switched like for example "traceroute 183.x.123.2 ttl 1 10" and you should see hints on your ACL and logs.

    All the best and good luck with your studies,

  • Cristian,

    In item 2 you stae that you have to "deduce it".  I don't understand how you would go about deducing this.  I don't understand why "disable monitor logging" is needed still.

  • Hi PinGorilla,

       You can log to console, VTY lines, buffer and syslog servers. As task requires that ACL hit logs are presented to console and router memory buffer, you need to either disable VTY logging or configure it to a level lower than 6, informational, such that ACL logs are not presented to VTY lines.

    All the best and good luck with your studies,

  • Hello,

    Are we suppose to deduce that because it does not specifically state to log to VTY that we must disable it?

    Thanks

  •  

    This task does not say anything about logging monitor, so i think it does not matter whether we disable it or not. What do you guys think on this ?

  • Hi,

    This task does not say anything about logging monitor, which is on by default. The task is just concerned about buffered and syslog. So you don't need to disable monitor logging, just leave it as is.

    HTH

    Good luck!

  • This task does not say anything about logging monitor, which is on by default. The task is just concerned about buffered and syslog. So you don't need to disable monitor logging, just leave it as is.

    This is also my understanding but then why SG disabled logging monitor and also cristian in this post emaphsis to disable it. 

  • Did we ever receive clarification on the logging monitor question?

  • Did we ever receive clarification on the logging monitor question?

    Doesnt look that way, although, to be honest, Whilst task states nothing about it. It doesnt break any requirements. May just be worth doing. 

    Marc

  • Thanks for this great explanation!

Sign In or Register to comment.