From: Teck PhrEAk!! (phreakinphunk@hotmail.com)
Date: Sat Aug 30 2003 - 15:14:15 GMT-3
Theres no IMPLICIT "Deny any any" at the end of an "outbound" "reflect" ACL!
cheers,
sumit.
>From: christopher snow <cbsnow31@yahoo.com>
>Reply-To: christopher snow <cbsnow31@yahoo.com>
>To: ccielab@groupstudy.com
>Subject: Reflexive Access List
>Date: Sat, 30 Aug 2003 09:53:16 -0700 (PDT)
>
>I have a question in regards to relexive access lists.
> I have the following config:
>
>ip access-list extended inbound
> evaluate icmp_traffic
> evaluate tcp_traffic
> permit ospf any any
>ip access-list extended outbound
> permit icmp any any reflect icmp_traffic
> permit tcp any any reflect tcp_traffic
>
>-----
>The access-list works fine but I originally had ospf
>permit any any applied to both the inbound and
>oubound. When I compared my configs to the solution,
>the solutin only had ospf permit any any applied to
>the inbound. I removed it and it still works. I then
>removed it from the inbound and the neighbors dropped.
> Why is the ospf statement not needed on the outbound
>side. It would have assumed that it would be blocked
>unless specifically permited.
>
>Chris Snow
>
>__________________________________
>Do you Yahoo!?
>Yahoo! SiteBuilder - Free, easy-to-use web site design software
>http://sitebuilder.yahoo.com
>
>
>_______________________________________________________________________
>You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:54:11 GMT-3