Thursday, February 26, 2009

IE Vol 2 Section 4

4.1 Complete, no issues
4.2 Complete, this one took me a bit. After searching the docs and ? there didn't seem to be another way to filter neighbors. Then it dawned on me that we're using port 646. So an access list preventing tcp port 646 from anywhere but the desired neighbor would take care of this.

The solutions guide went a little further and blocked udp 646 and forced the transport mpls address as well. I don't see why udp 646 needs to be blocked. Even if hellos get through, the session would never be brought up unless tcp 646 was reachable. I guess it may be a little cleaner that way, but shouldn't be necessary.

4.3 Complete, no issues

No comments: