RE: Reflexive Access List

From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Mon Sep 01 2003 - 14:00:19 GMT-3

• Next message: Roberts, Larry: "RE: Reflexive Access List"
• Previous message: Chen Kwong Wai William: "Reflexive Access List"
• Maybe in reply to: Charles T. Alexander: "Reflexive Access List"
• Next in thread: Roberts, Larry: "RE: Reflexive Access List"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Here is the body of an e-mail I send Saturday about this same topic.

</Quote>
The outbound ACL is not needed since traffic "originated" by the router
itself will not be affected by an outbound ACL*. Since this is the case
traffic originated by the router does not get "reflected" by a
reflective ACL. This means that all traffic originated by the router
itself will need to be manually permitted with the inbound ACL.

It is common to permit routing protocols inbound but also remember if
you need to ping or telnet to other routers from the router with the
reflective ACL you'll have to manually add the ACL entries inbound for
this traffic to return.

* By default. There is a way to force traffic originated by the router
to be affected by an outbound ACL.
</Quote>

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Toll Free: 877-334-8987
Direct: 775-745-6404 (Outside the US and Canada)
Internetwork Expert, Inc.
http://www.InternetworkExpert.com

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Chen Kwong Wai William
Sent: Monday, September 01, 2003 9:53 AM
To: ccielab@groupstudy.com
Subject: Reflexive Access List

Dear all,

    Anyone kindly tell me what is the wrong of the following setting?
The
reflexive access-list doesn't work.

-- William

sh run
Building configuration...

Current configuration : 1051 bytes
!
version 12.2
service config
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R5
!
logging rate-limit console 10 except errors
!
username bob password 0 cisco
username alice password 0 cisco
username alice autocommand access-enable timeout 1
ip subnet-zero
no ip finger
!
ip reflexive-list timeout 20
no ip dhcp-client network-discovery
!
!
!
!
interface Ethernet0
 ip address 192.168.0.100 255.255.255.0
 ip access-group inboundFilters in
 ip access-group outboundFilters out
!
interface Serial0
 no ip address
 shutdown
!
interface Serial1
 no ip address
 shutdown
!
ip kerberos source-interface any
ip classless
ip http server
!
!
ip access-list extended inboundFilters
 permit eigrp any any
 deny icmp any any
 evaluate tcptraffic
ip access-list extended outboundFilters
 permit tcp any any reflect tcptraffic
!
!
line con 0
 transport input none
line 1 16
 no exec
 transport input all
line aux 0
line vty 0 4
 privilege level 15
 login local
!
end

R5#telnet 192.168.0.3
Trying 192.168.0.3 ...

• Next message: Roberts, Larry: "RE: Reflexive Access List"
• Previous message: Chen Kwong Wai William: "Reflexive Access List"
• Maybe in reply to: Charles T. Alexander: "Reflexive Access List"
• Next in thread: Roberts, Larry: "RE: Reflexive Access List"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Oct 01 2003 - 07:24:21 GMT-3