From: Adel Abushaev (adel@netmasterclass.net)
Date: Thu Dec 18 2003 - 20:03:41 GMT-3
Why control plane traffic (OSPF) is part of ACL?
Could you explain the task you are trying to perform? You may want to permit
all routing updates and all traffic except
the one you are implicitly denying and reflecting.
If you need to do permit ICMP reply only if there is ICMP request, then
permit everything else afterwards to avoid
interruptions for other network services. Depending on the task, this list
can grow big, unless you can live with "permit ip any any" at the end.
OSPF packets have TTL=1, so why do you ever want to filter/reflect them in
your task? They are generated on a router,
they do not go further than next hop router.
Adel Abouchaev
CCIE# 12037, MCSE
http://www.netmasterclass.net
----- Original Message -----
From: "David Deng" <glend_99@yahoo.com>
To: "Brian McGahan" <bmcgahan@internetworkexpert.com>;
<rich@myhomemail.net>; <ccielab@groupstudy.com>
Sent: Thursday, December 18, 2003 5:47 PM
Subject: RE: Help reflecxive access list
> Hi Brian,
>
> Thanks for the explanation. However I can see why it
> didn't work for two reasons in my setup.
>
> 1. The routing table does not install the routes on
> one side even though I have premit OSPF on both sides
> , the permitting OSPF is not part of ACL so it would
> be independant of reflexive ACL, I was not able to
> accomplish that.
>
> 2. The temperoary entry did not get created so when
> traffic coming back, it got administartively
> prohibited.
>
>
> Any suggestions ?
>
> Regards,
> David
> --- Brian McGahan <bmcgahan@internetworkexpert.com>
> wrote:
> > Looks like the latter part of my message got
> > snipped.
> >
> > The 2nd case is when the traffic is reflected as it
> > comes in the inside
> > interface, and evaluated when coming in the outside
> > interface:
> >
> > Case 2: traffic reflected as it enters inside
> > interface
> >
> > interface Ethernet0/0
> > description To Inside Trusted Network
> > ip access-group OUTBOUND in
> > !
> > interface Serial0/0
> > description To Outside Untrusted Network
> > ip access-group INBOUND in
> > !
> > ip access-list extended INBOUND
> > evaluate REFLEXIVE
> > deny ip any any
> > !
> > ip access-list extended OUTBOUND
> > permit tcp any any reflect REFLEXIVE
> > permit udp any any reflect REFLEXIVE
> > permit icmp any any reflect REFLEXIVE
> > Brian McGahan, CCIE #8593
> > bmcgahan@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987
> > Direct: 708-362-1418 (Outside the US and Canada)
> >
> >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com
> > [mailto:nobody@groupstudy.com] On Behalf Of
> > > Brian McGahan
> > > Sent: Thursday, December 18, 2003 11:55 AM
> > > To: 'David Deng'; rich@myhomemail.net;
> > ccielab@groupstudy.com
> > > Subject: RE: Help reflecxive access list
> > >
> > > David,
> > >
> > > Your access-lists are misplaced from the normal
> > design model of a
> > > stateful firewall (reflexive, cbac, pix, etc). A
> > "stateful" firewall
> > > means
> > > that when traffic leaves the network it is noted
> > in a state table. When
> > > traffic tries to come back into the network it is
> > only allowed if there is
> > > a
> > > previously created entry in the state table. A
> > reflexive list uses the
> > > same
> > > principle.
> > >
> > > When traffic is leaving the network it is
> > "reflected" to the state
> > > table. When traffic tries to come back in it is
> > "evaluated" to see if
> > > there
> > > is a previous entry in the state table. If there
> > is no entry (and no
> > > explicit permit statement) the traffic is denied.
> > Traffic is typically
> > > "reflected" as it is going out the outside
> > interface connecting to the
> > > untrusted portion of the network. However,
> > traffic may also be
> > > "reflected"
> > > as it is coming in the inside interface(s)
> > connected to the trusted
> > > portion
> > > of the network. The latter case typically occurs
> > when only certain types
> > > of
> > > traffic are allowed to move from the inside
> > interface to the outside
> > > interface or only traffic from certain interfaces
> > is reflected while
> > > others
> > > are not.
> > >
> > > . E0/0 S0/0
> > >
> >
> Inside_trusted_network---R1---Outside_untrusted_network
> > > . -----traffic flow---->
> > >
> > > Case 1: traffic reflected as it leaves outside
> > interface
> > >
> > > interface Serial0/0
> > > description To Outside Untrusted Network
> > > ip access-group INBOUND in
> > > ip access-group OUTBOUND out
> > > !
> > > ip access-list extended INBOUND
> > > evaluate REFLEXIVE
> > > deny ip any any
> > > !
> > > ip access-list extended OUTBOUND
> > > permit tcp any any reflect REFLEXIVE
> > > permit udp any any reflect REFLEXIVE
> > > permit icmp any any reflect REFLEXIVE
> > >
> > > Brian McGahan, CCIE #8593
> > > bmcgahan@internetworkexpert.com
> > >
> > > Internetwork Expert, Inc.
> > > http://www.InternetworkExpert.com
> > > Toll Free: 877-224-8987
> > > Direct: 708-362-1418 (Outside the US and Canada)
> > >
> > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com
> > [mailto:nobody@groupstudy.com] On Behalf Of
> > > > David Deng
> > > > Sent: Thursday, December 18, 2003 1:45 AM
> > > > To: David Deng; rich@myhomemail.net;
> > ccielab@groupstudy.com
> > > > Subject: Re: Help reflecxive access list
> > > >
> > > > I have also tried to add one statement each in
> > the
> > > > access-lists to permit ospf. (permit ospf any
> > any)
> > > >
> > > > also added one loopback interface on both end
> > routers,
> > > > only spf2 router see the loopback route from
> > DMI, when
> > > > try to ping DMI loopback address from sfp2, here
> > is
> > > > what I got on DMI router:
> > > >
> > > > 1w2d: ICMP: echo reply sent, src 172.16.2.2, dst
> > > > 200.0.0.1
> > > > 1w2d: ICMP: dst (172.16.2.2) administratively
> > > > prohibited unreachable rcv from 100.0.0.2
> > > >
> > > > Looks like an acl issue.
> > > >
> > > > David
> > > >
> > > >
> > > >
> > > > --- David Deng <glend_99@yahoo.com> wrote:
> > > > > David,
> > > > >
> > > > >
> > > > > Here is the output of the sh access-list test.
> > > > >
> > > > >
> > > > > shadow1#sh access-lists test
> > > > > Reflexive IP access list test
> > > > > permit ospf host 224.0.0.5 eq host
> > 200.0.0.1
> > > > > (2097 matches) (time left 2)
> > > > >
> > > > > More test has shown, the spf2 router has
> > received
> > > > > the
> > > > > lookback route of the DMI, but DMI can not
> > received
> > > > > the loopback route of spf2 through OSPF. this
> > could
> > > > > be
> > > > > the problem.
> > > > >
> > > > > David
> > > > >
> > > > >
> > > > > shadow1#
> > > > > --- Richard Davidson <rich@myhomemail.net>
> > wrote:
> > > > > > try:
> > > > > > show access-list test
> > > > > >
> > > > > > --- David Deng <glend_99@yahoo.com> wrote:
> > > > > > > Hi Group,
> > > > > > >
> > > > > > > I have a question on Reflecxive access
> > list, the
> > > > > > > traffic should be able to pass through the
> > > > > middle
> > > > > > > router as long as it is initiated from
> > within
> > > > > the
> > > > > > > internal network. But I can not achieve
> > the
> > > > > > result.
> > > > > > >
> > > > > > > Here is my config and results.
> > > > > > > ping from sfp2 to 100.0.0.1 ... no
> > response
> >
> === message truncated ===
>
>
> __________________________________
> Do you Yahoo!?
> Protect your identity with Yahoo! Mail AddressGuard
> http://antispam.yahoo.com/whatsnewfree
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Jan 03 2004 - 08:25:43 GMT-3