From: David Deng (glend_99@yahoo.com)
Date: Fri Dec 19 2003 - 23:44:57 GMT-3
I found out the Reflexive ACL is not supported on
3750.
This is one of many things that switch can not be used
as router.
The routers work righ after my config.
Thanks for all help, Brian. I will work on the second
scenaio.
David
--- David Deng <glend_99@yahoo.com> wrote:
> Brian,
>
> The problem is my ping did not get through( did not
> create the ACL) and debug ip icmp message on the Ext
> router R3 shows administratively prohibited even
> ping
> from Int router R1.
>
> There could be few porblems in my test environment.
> 1. I am using all switches, 3750 to be more specific
> 2. The switches loaded with different images, some
> 12.1 and some 12.2.
>
> With the current setup, I might be hitting some bug.
> I will load the image to the same level and also try
>
> it on rouers instead of switches.
>
> Will let you know the result once I have them.
>
> Thanks,
> David
>
>
> --- Brian McGahan <bmcgahan@internetworkexpert.com>
> wrote:
> > David,
> >
> > This portion of your configuration looks fine.
> > Take the list off.
> > Can you ping from 200.0.0.1 to 100.0.0.1? Put the
> > list back on. How about
> > now? Here is a duplicate setup which behaves as
> it
> > should:
> >
> > Inside outside
> > R1-----R2-----R3
> > E0/0 S0/1
> >
> >
> > R1:
> > interface Ethernet0/0
> > ip address 200.0.0.1 255.0.0.0
> > !
> > router ospf 1
> > network 200.0.0.1 0.0.0.0 area 0
> >
> > R2:
> > interface Ethernet0/0
> > ip address 200.0.0.2 255.0.0.0
> > !
> > interface Serial0/1
> > ip address 100.0.0.2 255.0.0.0
> > ip access-group in30 in
> > ip access-group out30 out
> > !
> > router ospf 1
> > network 100.0.0.2 0.0.0.0 area 0
> > network 200.0.0.2 0.0.0.0 area 0
> > !
> > ip access-list extended in30
> > permit ospf any any
> > evaluate test30
> > !
> > ip access-list extended out30
> > permit icmp any any reflect test30
> > permit tcp any any reflect test30
> > permit udp any any reflect test30
> >
> > R3:
> > interface Serial1/3
> > ip address 100.0.0.1 255.0.0.0
> > !
> > router ospf 1
> > network 100.0.0.1 0.0.0.0 area 0
> >
> > Traffic is denied when it is initiated from R3 to
> > R1:
> > R3#ping 200.0.0.1
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 200.0.0.1,
> timeout
> > is 2 seconds:
> > U.U.U
> >
> > Traffic is permitted when it is initiated from R1
> to
> > R3:
> > R1#ping 100.0.0.1
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 100.0.0.1,
> timeout
> > is 2 seconds:
> > !!!!!
> >
> > R2's reflexive list illustrates the state table
> for
> > this traffic flow:
> > R2#sh access-list test30
> > Reflexive IP access list test30
> > permit icmp host 100.0.0.1 host 200.0.0.1
> (10
> > matches) (time left 258)
> >
> >
> > What is the problem you are seeing?
> >
> > HTH,
> >
> > Brian McGahan, CCIE #8593
> > bmcgahan@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987
> > Direct: 708-362-1418 (Outside the US and Canada)
> >
> >
> > > -----Original Message-----
> > > From: David Deng [mailto:glend_99@yahoo.com]
> > > Sent: Thursday, December 18, 2003 5:02 PM
> > > To: David Deng; Brian McGahan;
> > rich@myhomemail.net; ccielab@groupstudy.com
> > > Subject: RE: Help reflecxive access list
> > >
> > > Forgot to memntion that after changing my config
> > to
> > > match your suggestion, it still did not work.
> > > Maybe I am missing something here.
> > >
> > >
> > >
> > > Int. net ext. net
> > > g1/0/13 g1/0/14
> > > sfp2 -----------shadow1------------DMI
> > > .1 200.0.0.0 .2 .2 100.0.0.0 .1
> > >
> > > shadow1#sh run int g1/0/14
> > > interface GigabitEthernet1/0/14
> > > no switchport
> > > ip address 100.0.0.2 255.255.255.0
> > > ip access-group in30 in
> > > ip access-group out30 out
> > >
> > >
> > > shadow1#sh access-lists
> > > Extended IP access list in30
> > > 10 permit ospf any any (352 matches)
> > > 20 evaluate test30
> > > Extended IP access list out30
> > > 10 permit ospf any any
> > > 20 permit icmp any any reflect test30
> > > 30 permit tcp any any reflect test30
> > > 40 permit udp any any reflect test30
> > > Reflexive IP access list test30
> > > spf-2#sh ip route
> > > Gateway of last resort is not set
> > >
> > > 100.0.0.0/24 is subnetted, 1 subnets
> > > O 100.0.0.0 [110/2] via 200.0.0.2,
> 15:22:34,
> > > GigabitEthernet1/0/3
> > > C 200.0.0.0/24 is directly connected,
> > > GigabitEthernet1/0/3
> > > 172.16.0.0/32 is subnetted, 1 subnets
> > > O 172.16.2.2 [110/3] via 200.0.0.2,
> > 15:22:34,
> > > GigabitEthernet1/0/3
> > > 192.168.1.0/32 is subnetted, 1 subnets
> > > C 192.168.1.1 is directly connected,
> > Loopback1
> > >
> > > DMI#sh ip route
> > > 100.0.0.0/24 is subnetted, 1 subnets
> > > C 100.0.0.0 is directly connected,
> > > GigabitEthernet3/0/23
> > > O 200.0.0.0/24 [110/2] via 100.0.0.2,
> 14:56:02,
> > > GigabitEthernet3/0/23
> > > 172.16.0.0/32 is subnetted, 1 subnets
> > > C 172.16.2.2 is directly connected,
> > Loopback0
> > > DMI#
> > >
> > >
> > > --- David Deng <glend_99@yahoo.com> wrote:
> > > > Hi Brian,
> > > >
> > > > Thanks for the explanation. However I can see
> > why it
> > > > didn't work for two reasons in my setup.
> > > >
> > > > 1. The routing table does not install the
> routes
> > on
> > > > one side even though I have premit OSPF on
> both
> > > > sides
>
=== message truncated ===
__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree
This archive was generated by hypermail 2.1.4 : Sat Jan 03 2004 - 08:25:43 GMT-3