RE: Reflexive Access List

From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Sat Aug 30 2003 - 16:04:11 GMT-3

• Next message: Kenneth Wygand: "RE: How to remove serial subif ?"
• Previous message: Jonathan V Hays: "RE: log and log-input"
• Maybe in reply to: christopher snow: "Reflexive Access List"
• Next in thread: Jonathan V Hays: "RE: Reflexive Access List"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Chris,
The outbound ACL is not needed since traffic "originated" by the router
itself will not be affected by an outbound ACL*. Since this is the case
traffic originated by the router does not get "reflected" by a
reflective ACL. This means that all traffic originated by the router
itself will need to be manually permitted with the inbound ACL.

It is common to permit routing protocols inbound but also remember if
you need to ping or telnet to other routers from the router with the
reflective ACL you'll have to manually add the ACL entries inbound for
this traffic to return.

* By default. There is a way to force traffic originated by the router
to be affected by an outbound ACL.

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Toll Free: 877-334-8987
Direct: 775-745-6404 (Outside the US and Canada)
Internetwork Expert, Inc.
http://www.InternetworkExpert.com

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
christopher snow
Sent: Saturday, August 30, 2003 9:53 AM
To: ccielab@groupstudy.com
Subject: Reflexive Access List

I have a question in regards to relexive access lists.
 I have the following config:

ip access-list extended inbound
 evaluate icmp_traffic
 evaluate tcp_traffic
 permit ospf any any
ip access-list extended outbound
 permit icmp any any reflect icmp_traffic
 permit tcp any any reflect tcp_traffic

-----
The access-list works fine but I originally had ospf
permit any any applied to both the inbound and
oubound. When I compared my configs to the solution,
the solutin only had ospf permit any any applied to
the inbound. I removed it and it still works. I then
removed it from the inbound and the neighbors dropped.
 Why is the ospf statement not needed on the outbound
side. It would have assumed that it would be blocked
unless specifically permited.

Chris Snow

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

• Next message: Kenneth Wygand: "RE: How to remove serial subif ?"
• Previous message: Jonathan V Hays: "RE: log and log-input"
• Maybe in reply to: christopher snow: "Reflexive Access List"
• Next in thread: Jonathan V Hays: "RE: Reflexive Access List"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:54:11 GMT-3