RE: reflexive access-list

From: Bezverkhi, Serguei (Serguei.Bezverkhi@xxxxxx)
Date: Wed Aug 07 2002 - 17:10:37 GMT-3

• Next message: Darryl Munro: "RE: Dark rivers of the heart?"
• Previous message: Edmund Roche-Kelly: "Re: Multicast problem"
• Maybe in reply to: ying c: "reflexive access-list"
• Next in thread: Brian Dennis: "RE: reflexive access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Reflexive access list does not evaluate traffic generated by the router
where it is defined. So it does not create a temp hole for returning
traffic that is why when you try to ping it will always fail unless you
change your access-list to permit icmp echo and echo-reply for the local
router.

HTH

Serguei.

-----Original Message-----
From: ying c [mailto:bf5tgh1@yahoo.com]
Sent: August 7, 2002 3:40 PM
To: ccielab@groupstudy.com
Subject: reflexive access-list

Hi,

Can someone tell me why the following reflexive
access-list would not work? I'm not even bothering
blocking anything any more, the IOS is 12.1-15:

R1-172.16.10.1-------172.16.10.2--R2

interface Serial0.1 multipoint
 ip address 172.16.10.1 255.255.255.0
 ip access-group allin in <---- IN
 ip access-group allout out <----- OUT
 ip ospf priority 255
 ipx network 12
 frame-relay map ip 172.16.10.1 102 broadcast
 frame-relay map ip 172.16.10.2 102 broadcast
 frame-relay map ip 172.16.10.3 103 broadcast
 frame-relay map ipx 12.0001.0001.0001 102 broadcast frame-relay map
ipx 12.0002.0002.0002 102 broadcast ... ip access-list extended allin
evaluate allpackets <---- evaluate everything ip access-list extended
allout permit tcp any any reflect allpackets <--- tcp permit udp any
any reflect allpackets <--- udp permit icmp any any reflect allpackets
<--- icmp

=======================
run result:

r1#ping 172.16.10.2 <--- Always fails

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.2, timeout
is 2 seconds:
.....
Success rate is 0 percent (0/5)
r1#ct <---- remove reflexive access-list
Enter configuration commands, one per line. End with
CNTL/Z.
r1(config)#int s0.1
r1(config-subif)#no ip access
r1(config-subif)#no ip access-group allin in r1(config-subif)#no ip
access-group allout out r1(config-subif)#^Z r1#pin
07:30:09: %SYS-5-CONFIG_I: Configured from console by
console
r1#ping 172.16.10.2 <--- Ok if no reflexive
access-list

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.2, timeout
is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip
min/avg/max = 60/60/60 ms
r1#

Thanks,
Chang

• Next message: Darryl Munro: "RE: Dark rivers of the heart?"
• Previous message: Edmund Roche-Kelly: "Re: Multicast problem"
• Maybe in reply to: ying c: "reflexive access-list"
• Next in thread: Brian Dennis: "RE: reflexive access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:48:19 GMT-3