From: wangstone373 (wangstone373@hotmail.com)
Date: Thu Nov 27 2003 - 13:33:24 GMT-3
Hi ,Brian
I just test reflexive ACL with below topo
R1-(ospf area 0)--R2---(rip V1 )--r3 ,
requirement : for R2 , only can receive inbound TCP ,ICMP , UDP traffic which confirmed by outbound traffic.
below is my config :
R2 : int lo0
ip add 2.2.2.2 255.255.255.0
int s0
ip add 20.20.20.1 255.255.255.0
ip ospf net point-to-point
int s1
ip add 10.10.10.1 255.255.255.0
ip access-group inbound in
ip access-group outbound out
router rip
ver 1
net 10.0.0.0
net 2.0.0.0
router ospf 1
net 20. 20.20.1 0.0.0.0 area 0
ip access-list extended inbound
evaluate test
deny any any
ip access extended outbound
permit icmp any any reflect test
permit udp any any eq rip reflect test
permit tcp any any reflect test
permit ip any any
there are some problems :
1 . as you mention below, 10.1 can not ping 10.2 , what you commit two solution can work well.
2. but with reflecxive ACL, RIP between r1 and r2 will be problems. R1 can not learn route from r2 which work nomal can learn from r1
3. if we use ip local policy , for lo0 will not declare in ospf ,so ospf nei will be down ,I must announce it into ospf with distributed.
how can I do above.
Thanks!
----- Original Message -----
From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
To: "'Peasah, Richard Kwame'" <rpeasah@ku.edu>; <ccielab@groupstudy.com>
Sent: Thursday, November 27, 2003 5:44 AM
Subject: RE: Access-Lists Optimizer
> Richard,
>
> Try 'access-list 100 deny ip any any'. It consolidates all your
> security into one line. Very efficient.
>
> HTH,
>
> Brian McGahan, CCIE #8593
> bmcgahan@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 708-362-1418 (Outside the US and Canada)
>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Peasah, Richard Kwame
> > Sent: Wednesday, November 26, 2003 1:54 PM
> > To: ccielab@groupstudy.com
> > Subject: Access-Lists Optimizer
> >
> > Gang,
> >
> >
> >
> > It's there anything like an access-lists optimizer? I'm literally
> > drowning in a soup of acls and I'm wondering if there's a tool out there
> > that I can cling on to. Cheers.
> >
> > _______________________________________________________________________
> > Please help support GroupStudy by purchasing your study materials from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Dec 12 2003 - 12:29:18 GMT-3