Reflexive!

From: Nancy Khln (nancy_merill@yahoo.com)
Date: Sat Jun 05 2004 - 15:09:11 GMT-3

• Next message: Spolidoro, Guilherme: "RE: QoS - Police - Congestion - NoCongestion"
• Previous message: Kenneth Wygand: "Re: ports 5168 & 5169"
• Next in thread: John Underhill: "Re: Reflexive!"
• Maybe reply: John Underhill: "Re: Reflexive!"
• Maybe reply: Carlos G Mendioroz: "Re: Reflexive!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,
 
Couple of questions regarding Reflexive ACL, here is the scenario:
 
R1-s0(11.11.11.2)---------------------s1--R2--e0-------------------------BB3---l0(51.1.1.1)---
 
For testing reasons, I am running RIP&BGP between R2 and BB3
Before I configured my Reflexive ALs I am able to ping everything from everywhere, once the Reflexive AL are in place, I am able to ping BB3 from R1, as traffic is leaving the network it is "reflected" to the state table.
The ICMP traffic when tries to come back in it is "evaluated" to see if there
is a previous entry in the state table, it finds the entry and it goes throught he ping is successfull.Am I correct?
R1#ping 51.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 51.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/40 m
 
 NOw from BB3 and I am trying to ping R1's0, I was expecting to get a response since there is a previosly created entry in the table. It DOES NOT I am getting unreachable
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.11.11.2, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

Here is R2's config
 
interface Ethernet0/0
 ip address 14.14.14.1 255.255.255.0
 ip access-group INBOUND in
 ip access-group OUTBOUND out
!
Extended IP access list INBOUND
    permit udp any any (104 matches)
    permit tcp any any (68 matches)
    evaluate TRAFFIC
    deny ip any any (44 matches)
Extended IP access list OUTBOUND
    permit udp any any reflect TRAFFIC
    permit tcp any any reflect TRAFFIC
    permit icmp any any reflect TRAFFIC
Reflexive IP access list TRAFFIC
    permit icmp host 51.1.1.1 host 11.11.11.2 (11 matches) (time left 158)
R2#
As long as I have this temporary entry in the state table I should be able to ping from BB3
11.11.11.2 Am I correct? I should not be allowed to ping anything else on the network from BB3, from R2 I am not able to ping BB3 , this is OK, the OUBOUND list doesnt affect locally generated packets.
DO I need to add in the INBOUND list permit ICMP !!!!!! This would defeat its purpose, wouldn't it? and allowe everything to go through.....
 Please advise.
Thank you
Nancy

                
---------------------------------
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger

• Next message: Spolidoro, Guilherme: "RE: QoS - Police - Congestion - NoCongestion"
• Previous message: Kenneth Wygand: "Re: ports 5168 & 5169"
• Next in thread: John Underhill: "Re: Reflexive!"
• Maybe reply: John Underhill: "Re: Reflexive!"
• Maybe reply: Carlos G Mendioroz: "Re: Reflexive!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jul 03 2004 - 19:40:33 GMT-3