From: Nigel.Johnson@barclayscapital.com
Date: Wed Nov 26 2003 - 12:24:56 GMT-3
I'd guess that it's because there isn't an implicit deny at the end of a
reflexive ACL ('inbound' in your example) so you need to nest it to prevent
allowing all traffic.
You would need to specifically allow BGP, EIGRP, so your 'inbound-eval'
access-list would become:
Extended IP access list inbound-eval
permit bgp any any
permit eigrp any any
evaluate inbound
Cheers,
Nige
-----Original Message-----
From: Farrington, Ken: IT (LDN)
Sent: 26 November 2003 12:24
To: ccielab@groupstudy.com
Subject: Reflective ACLs
Hello,
Couple of questions re Reflecive ACLs.
Firstly, Why do I need the evaluate ACL. Cant I just use the "inbound" ACL
on the access-group on the
interface, (The actual reflexive access-list) rather than the
"inbound-eval" the acl with the evaluate command in? Say this is the only
entry in the ACL.
Secondly, What about packets generated from the actual router, ie, eigrp,
ospf, BGP, ICMP etc etc. These
packets as they are not transient to the router dont seem to get thru. Is
it becuase they are originated from the router processor itself? I would
imagine that multicast traffic for eigrp, ospf, ripv2 would have a problem
with the reflective ACL and there source would be say 30.96.100.18 and dest
would be the mcast address. This reflected i would assume show in the ACL,
a source of the mcast address and the dest of the 30.96.100.18.
Please could someone explain this to me?
Many thx indeed,
Ken
MMmR01#
MMmR01#
!
interface Vlan50
ip address 30.96.100.18 255.255.255.252
ip access-group inbound-eval in
ip access-group outbound out
ip pim sparse-dense-mode
!
MMmR01#
MMmR01#
Reflexive IP access list inbound
permit tcp host 30.96.100.17 eq telnet host 30.96.100.62 eq 63489 (32
matches) (time left 1)
permit icmp host 30.96.100.1 host 30.96.100.42 (12 matches) (time left
206)
permit udp host 224.0.1.40 eq pim-auto-rp host 30.96.100.25 eq
pim-auto-rp (3 matches) (time left 277)
permit udp host 30.96.100.1 eq snmp host 30.96.100.42 eq 60114 (11
matches) (time left 189)
permit udp host 30.96.100.2 eq snmp host 30.96.100.42 eq 60114 (62
matches) (time left 288)
permit icmp host 30.96.100.17 host 30.96.100.62 (26 matches) (time left
227)
permit icmp host 30.96.100.17 host 30.96.100.42 (12 matches) (time left
138)
permit udp host 224.0.1.39 eq pim-auto-rp host 30.96.100.25 eq
pim-auto-rp (7 matches) (time left 268)
permit udp host 30.96.100.17 eq snmp host 30.96.100.42 eq 60114 (114
matches) (time left 288)
!
Extended IP access list inbound-eval
evaluate inbound
!
Extended IP access list outbound
permit ip any any reflect inbound
MMmR01#
________________________________________________________________
Ken Farrington
Global Networks, Barclays Capital, 5 The North Colonnade, Canary
Wharf, London, E14 4BB
* Tel : 020 7773 3550
* Mob : 07768-866655
* ken.farrington@barcap.com
------------------------------------------------------------------------
For more information about Barclays Capital, please
visit our web site at http://www.barcap.com.
Internet communications are not secure and therefore the Barclays
Group does not accept legal responsibility for the contents of this
message. Although the Barclays Group operates anti-virus programmes,
it does not accept responsibility for any damage whatsoever that is
caused by viruses being passed. Any views or opinions presented are
solely those of the author and do not necessarily represent those of the
Barclays Group. Replies to this email may be monitored by the Barclays
Group for operational or business reasons.
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.4 : Fri Dec 12 2003 - 12:29:17 GMT-3