Re: Help reflecxive access list

From: David Deng (glend_99@yahoo.com)
Date: Thu Dec 18 2003 - 04:44:31 GMT-3

• Next message: David Heaton: "RE: Frame Relay Switching Over IP Tunnel"
• Previous message: asadovnikov: "RE: eigrp with md5 authentication"
• Maybe in reply to: David Deng: "Help reflecxive access list"
• Next in thread: Brian McGahan: "RE: Help reflecxive access list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I have also tried to add one statement each in the
access-lists to permit ospf. (permit ospf any any)

also added one loopback interface on both end routers,
only spf2 router see the loopback route from DMI, when
try to ping DMI loopback address from sfp2, here is
what I got on DMI router:

1w2d: ICMP: echo reply sent, src 172.16.2.2, dst
200.0.0.1
1w2d: ICMP: dst (172.16.2.2) administratively
prohibited unreachable rcv from 100.0.0.2

Looks like an acl issue.

David

--- David Deng <glend_99@yahoo.com> wrote:
> David,
>
>
> Here is the output of the sh access-list test.
>
>
> shadow1#sh access-lists test
> Reflexive IP access list test
> permit ospf host 224.0.0.5 eq host 200.0.0.1
> (2097 matches) (time left 2)
>
> More test has shown, the spf2 router has received
> the
> lookback route of the DMI, but DMI can not received
> the loopback route of spf2 through OSPF. this could
> be
> the problem.
>
> David
>
>
> shadow1#
> --- Richard Davidson <rich@myhomemail.net> wrote:
> > try:
> > show access-list test
> >
> > --- David Deng <glend_99@yahoo.com> wrote:
> > > Hi Group,
> > >
> > > I have a question on Reflecxive access list, the
> > > traffic should be able to pass through the
> middle
> > > router as long as it is initiated from within
> the
> > > internal network. But I can not achieve the
> > result.
> > >
> > > Here is my config and results.
> > > ping from sfp2 to 100.0.0.1 ... no response
> > > ping from DMI to 200.0.0.1 - UUU unreachable
> > >
> > >
> >
> spf2------------g1/0/13--shadow1--g1/0/14-------DMI
> > > .1 200.0.0.0 .2 .2 100.0.0.0
> .1
> > >
> > > shadow1#sh ip access-lists
> > > Extended IP access list in10
> > > 10 permit ospf any any reflect test (51
> > matches)
> > > 20 permit tcp any any reflect test
> > > 30 permit icmp any any reflect test
> > > Extended IP access list out10
> > > 10 evaluate test
> > > Reflexive IP access list test
> > > permit ospf host 200.0.0.2 eq host
> 200.0.0.1
> >
> > > (7
> > > matches) (time
> > > left 240)
> > > permit ospf host 224.0.0.5 eq host
> 200.0.0.1
> >
> > > (51 matches) (time
> > > left 295)
> > > shadow1#sh run int g1/0/13
> > > Building configuration...
> > >
> > > Current configuration : 142 bytes
> > > !
> > > interface GigabitEthernet1/0/13
> > > no switchport
> > > ip address 200.0.0.2 255.255.255.0
> > > ip access-group in10 in
> > > ip access-group out10 out
> > > end
> > >
> > >
> > >
> > > __________________________________
> > > Do you Yahoo!?
> > > Protect your identity with Yahoo! Mail
> > AddressGuard
> > > http://antispam.yahoo.com/whatsnewfree
> > >
> > >
> >
>

• Next message: David Heaton: "RE: Frame Relay Switching Over IP Tunnel"
• Previous message: asadovnikov: "RE: eigrp with md5 authentication"
• Maybe in reply to: David Deng: "Help reflecxive access list"
• Next in thread: Brian McGahan: "RE: Help reflecxive access list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jan 03 2004 - 08:25:42 GMT-3