From: navaid@rogers.com
Date: Sat Aug 30 2003 - 16:34:24 GMT-3
Brian,
How can we force traffic originated by the router to be affected by an outbound ACL ?
Thanks,
Navaid
>
> From: "Brian Dennis" <bdennis@internetworkexpert.com>
> Date: 2003/08/30 Sat PM 03:04:11 EDT
> To: "'christopher snow'" <cbsnow31@yahoo.com>, <ccielab@groupstudy.com>
> Subject: RE: Reflexive Access List
>
> Chris,
> The outbound ACL is not needed since traffic "originated" by the router
> itself will not be affected by an outbound ACL*. Since this is the case
> traffic originated by the router does not get "reflected" by a
> reflective ACL. This means that all traffic originated by the router
> itself will need to be manually permitted with the inbound ACL.
>
> It is common to permit routing protocols inbound but also remember if
> you need to ping or telnet to other routers from the router with the
> reflective ACL you'll have to manually add the ACL entries inbound for
> this traffic to return.
>
> * By default. There is a way to force traffic originated by the router
> to be affected by an outbound ACL.
>
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> bdennis@internetworkexpert.com
> Toll Free: 877-334-8987
> Direct: 775-745-6404 (Outside the US and Canada)
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> christopher snow
> Sent: Saturday, August 30, 2003 9:53 AM
> To: ccielab@groupstudy.com
> Subject: Reflexive Access List
>
> I have a question in regards to relexive access lists.
> I have the following config:
>
> ip access-list extended inbound
> evaluate icmp_traffic
> evaluate tcp_traffic
> permit ospf any any
> ip access-list extended outbound
> permit icmp any any reflect icmp_traffic
> permit tcp any any reflect tcp_traffic
>
> -----
> The access-list works fine but I originally had ospf
> permit any any applied to both the inbound and
> oubound. When I compared my configs to the solution,
> the solutin only had ospf permit any any applied to
> the inbound. I removed it and it still works. I then
> removed it from the inbound and the neighbors dropped.
> Why is the ospf statement not needed on the outbound
> side. It would have assumed that it would be blocked
> unless specifically permited.
>
> Chris Snow
>
> __________________________________
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software
> http://sitebuilder.yahoo.com
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
1
This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:54:11 GMT-3