RE: RE: Reflexive Access List

From: Marcus Jensen (marcus@pobox.com)
Date: Tue Sep 30 2003 - 19:40:32 GMT-3

• Next message: Danny.Andaluz@triaton-na.com: "Policy maps"
• Previous message: Jonathan V Hays: "RE: books list [CCIE COOKBOOK]"
• Maybe in reply to: Jonathan V Hays: "RE: Reflexive Access List"
• Next in thread: Brian Dennis: "RE: RE: Reflexive Access List"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> How can we force traffic originated by the router to be
> affected by an outbound ACL ?

Force the traffic back through the loopback (policy route traffic matching
on router sourced traffic and set next hop your own loopback), it will go
through the route-table again, and then back out the same interface it
originally would have except this time it will hit the outgoing ACL as well.

Marcus

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On
> Behalf Of navaid@rogers.com
> Sent: Sunday, August 31, 2003 4:34 AM
> To: Brian Dennis; 'christopher snow'; ccielab@groupstudy.com
> Subject: Re: RE: Reflexive Access List
>
>
> Brian,
> How can we force traffic originated by the router to be
> affected by an outbound ACL ?
> Thanks,
> Navaid
>
> >
> > From: "Brian Dennis" <bdennis@internetworkexpert.com>
> > Date: 2003/08/30 Sat PM 03:04:11 EDT
> > To: "'christopher snow'" <cbsnow31@yahoo.com>,
> <ccielab@groupstudy.com>
> > Subject: RE: Reflexive Access List
> >
> > Chris,
> > The outbound ACL is not needed since traffic "originated"
> by the router
> > itself will not be affected by an outbound ACL*. Since this
> is the case
> > traffic originated by the router does not get "reflected" by a
> > reflective ACL. This means that all traffic originated by the router
> > itself will need to be manually permitted with the inbound ACL.
> >
> > It is common to permit routing protocols inbound but also
> remember if
> > you need to ping or telnet to other routers from the router with the
> > reflective ACL you'll have to manually add the ACL entries
> inbound for
> > this traffic to return.
> >
> > * By default. There is a way to force traffic originated by
> the router
> > to be affected by an outbound ACL.
> >
> > Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> > bdennis@internetworkexpert.com
> > Toll Free: 877-334-8987
> > Direct: 775-745-6404 (Outside the US and Canada)
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
> On Behalf Of
> > christopher snow
> > Sent: Saturday, August 30, 2003 9:53 AM
> > To: ccielab@groupstudy.com
> > Subject: Reflexive Access List
> >
> > I have a question in regards to relexive access lists.
> > I have the following config:
> >
> > ip access-list extended inbound
> > evaluate icmp_traffic
> > evaluate tcp_traffic
> > permit ospf any any
> > ip access-list extended outbound
> > permit icmp any any reflect icmp_traffic
> > permit tcp any any reflect tcp_traffic
> >
> > -----
> > The access-list works fine but I originally had ospf
> > permit any any applied to both the inbound and
> > oubound. When I compared my configs to the solution,
> > the solutin only had ospf permit any any applied to
> > the inbound. I removed it and it still works. I then
> > removed it from the inbound and the neighbors dropped.
> > Why is the ospf statement not needed on the outbound
> > side. It would have assumed that it would be blocked
> > unless specifically permited.
> >
> > Chris Snow
> >
> > __________________________________
> > Do you Yahoo!?
> > Yahoo! SiteBuilder - Free, easy-to-use web site design software
> > http://sitebuilder.yahoo.com
> >
> >
> >
> ______________________________________________________________
> _________
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> ______________________________________________________________
> _________
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
> 1
>
>
> ______________________________________________________________
> _________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Danny.Andaluz@triaton-na.com: "Policy maps"
• Previous message: Jonathan V Hays: "RE: books list [CCIE COOKBOOK]"
• Maybe in reply to: Jonathan V Hays: "RE: Reflexive Access List"
• Next in thread: Brian Dennis: "RE: RE: Reflexive Access List"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:54:11 GMT-3