Re: reflexive access-list

From: ying c (bf5tgh1@xxxxxxxxx)
Date: Wed Aug 07 2002 - 22:30:44 GMT-3

• Next message: Jonathan V Hays: "RE: CSS1 cert."
• Previous message: Jake: "OT: RE: Anti-CCIE's ?"
• Maybe in reply to: ying c: "reflexive access-list"
• Next in thread: Carlos G Mendioroz: "Re: reflexive access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Hi all,

Below is the the output:

Before ping:

Extended IP access list allin
    evaluate allpackets
    permit ospf any any (1039 matches)
    permit udp any any eq rip
Extended IP access list allout
    permit tcp any any reflect allpackets
    permit udp any any reflect allpackets
    permit icmp any any reflect allpackets
    permit ospf any any
    permit udp any any eq rip
Reflexive IP access list allpackets
r1#
----------------------------------------------------
After call from r1:

r1#ping 172.16.10.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.2, timeout
is 2 seconds:
.....
Success rate is 0 percent (0/5)

Extended IP access list allin
    evaluate allpackets
    permit ospf any any (1052 matches)
    permit udp any any eq rip
Extended IP access list allout
    permit tcp any any reflect allpackets
    permit udp any any reflect allpackets
    permit icmp any any reflect allpackets
    permit ospf any any
    permit udp any any eq rip
Reflexive IP access list allpackets
r1#
------------------------------------------------------
After call from a router that connects to r1:

rsm#ping 172.16.10.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.2, timeout
is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip
min/avg/max = 72/75/80 ms
rsm#
Extended IP access list allin
    evaluate allpackets
    permit ospf any any (1056 matches)
    permit udp any any eq rip
Extended IP access list allout
    permit tcp any any reflect allpackets
    permit udp any any reflect allpackets
    permit icmp any any reflect allpackets
    permit ospf any any
    permit udp any any eq rip
Reflexive IP access list allpackets
    permit icmp host 172.16.10.2 host 172.16.32.12
(11 matches) (time left -743096) <<<----
r1#
----------------------------------------------------------------

--- Carlos G Mendioroz <tron@huapi.ba.ar> wrote:
> Brian,
> this is ok... but I used to believe thatin this
> case, as the
> evaluate is the only statement in the allin ACL,
> then allin
> would be empty and allow all traffic throw.
>
> This used to be a common gotcha on reflexive (and
> CBAC) ACLs.
> Has this changed ?
>
> Chang, what would be the output of a show
> access-lists ?
>
>
>
> Brian Dennis wrote:
> >
> > Traffic generated by R1 isn't going to be
> evaluated out and in turn
> > won't be let back in. Try testing it from behind
> R1.
> >
> > Brian Dennis, CCIE #2210 (R&S/ISP Dial)
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of
> > ying c
> > Sent: Wednesday, August 07, 2002 12:40 PM
> > To: ccielab@groupstudy.com
> > Subject: reflexive access-list
> >
> > Hi,
> >
> > Can someone tell me why the following reflexive
> > access-list would not work? I'm not even bothering
> > blocking anything any more, the IOS is 12.1-15:
> >
> > R1-172.16.10.1-------172.16.10.2--R2
> >
> > interface Serial0.1 multipoint
> > ip address 172.16.10.1 255.255.255.0
> > ip access-group allin in <---- IN
> > ip access-group allout out <----- OUT
> > ip ospf priority 255
> > ipx network 12
> > frame-relay map ip 172.16.10.1 102 broadcast
> > frame-relay map ip 172.16.10.2 102 broadcast
> > frame-relay map ip 172.16.10.3 103 broadcast
> > frame-relay map ipx 12.0001.0001.0001 102
> broadcast
> > frame-relay map ipx 12.0002.0002.0002 102
> broadcast
> > ...
> > ip access-list extended allin
> > evaluate allpackets <---- evaluate everything
> > ip access-list extended allout
> > permit tcp any any reflect allpackets <--- tcp
> > permit udp any any reflect allpackets <--- udp
> > permit icmp any any reflect allpackets <--- icmp
> >
> > =======================
> > run result:
> >
> > r1#ping 172.16.10.2 <--- Always fails
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 172.16.10.2,
> timeout
> > is 2 seconds:
> > .....
> > Success rate is 0 percent (0/5)
> > r1#ct <---- remove reflexive access-list
> > Enter configuration commands, one per line. End
> with
> > CNTL/Z.
> > r1(config)#int s0.1
> > r1(config-subif)#no ip access
> > r1(config-subif)#no ip access-group allin in
> > r1(config-subif)#no ip access-group allout out
> > r1(config-subif)#^Z
> > r1#pin
> > 07:30:09: %SYS-5-CONFIG_I: Configured from console
> by
> > console
> > r1#ping 172.16.10.2 <--- Ok if no reflexive
> > access-list
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 172.16.10.2,
> timeout
> > is 2 seconds:
> > !!!!!
> > Success rate is 100 percent (5/5), round-trip
> > min/avg/max = 60/60/60 ms
> > r1#
> >
> > Thanks,
> > Chang
> >

• Next message: Jonathan V Hays: "RE: CSS1 cert."
• Previous message: Jake: "OT: RE: Anti-CCIE's ?"
• Maybe in reply to: ying c: "reflexive access-list"
• Next in thread: Carlos G Mendioroz: "Re: reflexive access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:48:20 GMT-3