From: Carlos G Mendioroz (tron@xxxxxxxxxxx)
Date: Thu Aug 08 2002 - 07:26:24 GMT-3
Forget the "this would be strange" part. Too early in the morning
and gears are not to speed in my head :-(
Makes me think of the advise to get up early on the week of the exam!
Carlos G Mendioroz wrote:
>
> Ah, ok. That explains it. You have OSPF and RIP entries there, so the
> list
> is (was) not empty...
>
> Have you put those in or are auto ?
> This would be strange if auto, since this is self generated traffic...
>
> ying c wrote:
> >
> > Hi all,
> >
> > Below is the the output:
> >
> > Before ping:
> >
> > Extended IP access list allin
> > evaluate allpackets
> > permit ospf any any (1039 matches)
> > permit udp any any eq rip
> > Extended IP access list allout
> > permit tcp any any reflect allpackets
> > permit udp any any reflect allpackets
> > permit icmp any any reflect allpackets
> > permit ospf any any
> > permit udp any any eq rip
> > Reflexive IP access list allpackets
> > r1#
> > ----------------------------------------------------
> > After call from r1:
> >
> > r1#ping 172.16.10.2
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 172.16.10.2, timeout
> > is 2 seconds:
> > .....
> > Success rate is 0 percent (0/5)
> >
> > Extended IP access list allin
> > evaluate allpackets
> > permit ospf any any (1052 matches)
> > permit udp any any eq rip
> > Extended IP access list allout
> > permit tcp any any reflect allpackets
> > permit udp any any reflect allpackets
> > permit icmp any any reflect allpackets
> > permit ospf any any
> > permit udp any any eq rip
> > Reflexive IP access list allpackets
> > r1#
> > ------------------------------------------------------
> > After call from a router that connects to r1:
> >
> > rsm#ping 172.16.10.2
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 172.16.10.2, timeout
> > is 2 seconds:
> > !!!!!
> > Success rate is 100 percent (5/5), round-trip
> > min/avg/max = 72/75/80 ms
> > rsm#
> > Extended IP access list allin
> > evaluate allpackets
> > permit ospf any any (1056 matches)
> > permit udp any any eq rip
> > Extended IP access list allout
> > permit tcp any any reflect allpackets
> > permit udp any any reflect allpackets
> > permit icmp any any reflect allpackets
> > permit ospf any any
> > permit udp any any eq rip
> > Reflexive IP access list allpackets
> > permit icmp host 172.16.10.2 host 172.16.32.12
> > (11 matches) (time left -743096) <<<----
> > r1#
> > ----------------------------------------------------------------
> >
> > --- Carlos G Mendioroz <tron@huapi.ba.ar> wrote:
> > > Brian,
> > > this is ok... but I used to believe thatin this
> > > case, as the
> > > evaluate is the only statement in the allin ACL,
> > > then allin
> > > would be empty and allow all traffic throw.
> > >
> > > This used to be a common gotcha on reflexive (and
> > > CBAC) ACLs.
> > > Has this changed ?
> > >
> > > Chang, what would be the output of a show
> > > access-lists ?
> > >
> > >
> > >
> > > Brian Dennis wrote:
> > > >
> > > > Traffic generated by R1 isn't going to be
> > > evaluated out and in turn
> > > > won't be let back in. Try testing it from behind
> > > R1.
> > > >
> > > > Brian Dennis, CCIE #2210 (R&S/ISP Dial)
> > > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com
> > > [mailto:nobody@groupstudy.com] On Behalf Of
> > > > ying c
> > > > Sent: Wednesday, August 07, 2002 12:40 PM
> > > > To: ccielab@groupstudy.com
> > > > Subject: reflexive access-list
> > > >
> > > > Hi,
> > > >
> > > > Can someone tell me why the following reflexive
> > > > access-list would not work? I'm not even bothering
> > > > blocking anything any more, the IOS is 12.1-15:
> > > >
> > > > R1-172.16.10.1-------172.16.10.2--R2
> > > >
> > > > interface Serial0.1 multipoint
> > > > ip address 172.16.10.1 255.255.255.0
> > > > ip access-group allin in <---- IN
> > > > ip access-group allout out <----- OUT
> > > > ip ospf priority 255
> > > > ipx network 12
> > > > frame-relay map ip 172.16.10.1 102 broadcast
> > > > frame-relay map ip 172.16.10.2 102 broadcast
> > > > frame-relay map ip 172.16.10.3 103 broadcast
> > > > frame-relay map ipx 12.0001.0001.0001 102
> > > broadcast
> > > > frame-relay map ipx 12.0002.0002.0002 102
> > > broadcast
> > > > ...
> > > > ip access-list extended allin
> > > > evaluate allpackets <---- evaluate everything
> > > > ip access-list extended allout
> > > > permit tcp any any reflect allpackets <--- tcp
> > > > permit udp any any reflect allpackets <--- udp
> > > > permit icmp any any reflect allpackets <--- icmp
> > > >
> > > > =======================
> > > > run result:
> > > >
> > > > r1#ping 172.16.10.2 <--- Always fails
> > > >
> > > > Type escape sequence to abort.
> > > > Sending 5, 100-byte ICMP Echos to 172.16.10.2,
> > > timeout
> > > > is 2 seconds:
> > > > .....
> > > > Success rate is 0 percent (0/5)
> > > > r1#ct <---- remove reflexive access-list
> > > > Enter configuration commands, one per line. End
> > > with
> > > > CNTL/Z.
> > > > r1(config)#int s0.1
> > > > r1(config-subif)#no ip access
> > > > r1(config-subif)#no ip access-group allin in
> > > > r1(config-subif)#no ip access-group allout out
> > > > r1(config-subif)#^Z
> > > > r1#pin
> > > > 07:30:09: %SYS-5-CONFIG_I: Configured from console
> > > by
> > > > console
> > > > r1#ping 172.16.10.2 <--- Ok if no reflexive
> > > > access-list
> > > >
> > > > Type escape sequence to abort.
> > > > Sending 5, 100-byte ICMP Echos to 172.16.10.2,
> > > timeout
> > > > is 2 seconds:
> > > > !!!!!
> > > > Success rate is 100 percent (5/5), round-trip
> > > > min/avg/max = 60/60/60 ms
> > > > r1#
> > > >
> > > > Thanks,
> > > > Chang
> > > >
This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:48:20 GMT-3