GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: Reflexive ACL - Clarification Needed - ?? posted 09/04/2004
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


That's interesting that you had to make that change.

Docs are at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsec
ur_c/ftrafwl/scfreflx.htm#wp1000873

ICMP uses particular type entries in the temporary ACL created, so things
should be cool.

According to documentation, the icmp echo and echo-reply pairing SHOULD work
though reflexive ACLs.  That's been my experience in the past as well.  I'd
be interested in knowing what IOS version you were running to see whether
this is an intentional shift in functionality or some technical boo-boo
along the way of feature addition!  :) 

 
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, CISSP,
JNCIP, et al.
IPExpert CCIE Program Manager
IPExpert Sr. Technical Instructor
swm@xxxxxxxxxx/smorris@xxxxxxxxxxxx
http://www.ipexpert.net
 


-----Original Message-----
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of
Cisco Nuts
Sent: Saturday, September 04, 2004 1:56 PM
To: matijevi@xxxxxxxxxxxxx
Cc: ccielab@xxxxxxxxxxxxxx; cisco@xxxxxxxxxxxxxx
Subject: RE: Reflexive ACL - Clarification Needed - ??

Hello John,

Thank you for your clarification:

Yes, it does work ...Actually Interestingly BOTH the solutions work except
for a minor adjustment that is needed in BOTH for pings to work !!

In my solution, I had to permit icmp any any on the inbound acl....

And in the solution proposed by the authors, I had to permit icmp any any
reflect TCP_Traffic on the inbound acl.........

Ok!! Have I had enough of this stuff or what???

Bewildered !!

:-(

R2#sh access-lists
Reflexive IP access list REFLECT
     permit tcp host 172.16.0.2 eq bgp host 172.16.0.3 eq 11002 (time left
77)
     permit udp host 224.0.0.9 eq rip host 10.10.1.1 eq rip (time left 66)
Extended IP access list inbound
    10 permit tcp any any eq bgp (12 matches)
    20 permit tcp any eq bgp any
    30 permit icmp any any (30 matches)
    40 evaluate REFLECT
    50 deny ip any any (12 matches)
Extended IP access list outbound
    10 permit tcp any any reflect REFLECT
    20 permit icmp any any reflect REFLECT
    30 permit udp any any reflect REFLECT R2# R2#sh ip bgp
   Network          Next Hop            Metric LocPrf Weight Path
*> 10.2.2.0/24      0.0.0.0                  0         32768 i
*> 10.3.3.0/24      172.16.0.3               0             0 300 i
*> 10.10.3.0/24     172.16.0.3               0             0 300 i

R2#ping 10.3.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms






>From: "john matijevic" <matijevi@xxxxxxxxxxxxx>
>Reply-To: "john matijevic" <matijevi@xxxxxxxxxxxxx>
>To: "'Cisco Nuts'" <cisconuts@xxxxxxxxxxx>,
<ccielab@xxxxxxxxxxxxxx>
>CC: <cisco@xxxxxxxxxxxxxx>
>Subject: RE: Reflexive ACL - Clarification Needed - ??
>Date: Sat, 4 Sep 2004 12:55:12 -0400 > >Hello, >I was able to
implement the answer with success.
>Did you actually try to test the answer from the book? If it does work
>for you, what part of the answer don't you understand? If it doesn't
>work for you, please explain how the answer doesn't work for you.
>
>Sincerely,
>
>John Matijevic, CCIE #13254, MCSE, CNE, CCEA >CEO >IgorTek Inc.
>151 Crandon Blvd. #402
>Key Biscayne, FL 33149
>Hablo Espanol
>305-321-6232
>http://home.bellsouth.net/p/PWP-CCIE
>
>
>-----Original Message-----
>From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of
>Cisco Nuts
>Sent: Saturday, September 04, 2004 12:10 PM
>To: ccielab@xxxxxxxxxxxxxx
>Cc: cisco@xxxxxxxxxxxxxx
>Subject: Reflexive ACL - Clarification Needed - ??
>
>Hello, Can someone help clarify this question on Reflexive ACL's? Task:
>Configure a reflexive access list on R6 and apply it to the R6-a3/0
>internal interface allowing BGP and any other interesting traffic. (R6
>connectes to BB3 via atm3/0 and is required to run BGP with BB3) My
>solution: #ip access-list ext inbound  #permit tcp any any eq bgp
>#permit >tcp any eq bgp any #evaluate REFLECT #deny ip any any #ip
access-list >ext >outbound #permit tcp any any reflect REFLECT #permit
icmp any any >reflect >REFLECT #permit udp any any reflect
REFLECT......(this could be added
>too)  #int atm3/0 #ip access-group inbound in #ip access-group outbound
>out #end Solution Proposed in the book: #ip access-list ext in_filters
>#permit >tcp any any reflect TCP_Traffic #ip access-list ext
out_filters #permit >tcp any any eq bgp #permit pim any any #permit icmp
any any #deny ip any >any #evaluate TCP_Traffic #int atm3/0 #ip
access-group in_filters in #ip >access-group out_filters out #end Having
done a lot of reflexive acl >labs >and thought that I might have a
good grasp at this topic, I feel lost >now >!! What would be a correct
solution to this question? This question is >from the Cisco Press CCIE
Routing and Switching Practice Labs Book,
>Pg.332 - Lab5. Please help.Thank you kindly.
>
>------------------------------------------------------------------------
>
>Get ready for school! Find articles, homework help and more in the Back
>to School Guide!
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

_______________________________________________________________________
Please help support GroupStudy by purchasing your study materials from:
http://shop.groupstudy.com

Subscription information may be found at: 
http://www.groupstudy.com/list/CCIELab.html