RE: Reflexive ACL - Clarification Needed - ??

From: john matijevic (matijevi@bellsouth.net)
Date: Sat Sep 04 2004 - 15:20:11 GMT-3

Hello,
Looks like you are correct in that you would need to allow the icmp
traffic back through in order to get the ping to work. I will have to
relab this up again, and test the pings. I originally got this to work
because I saw that my BGP was working after the reflexive acl, but did
not test the ping. Also please post this error on my forum. Also I know
your exam is coming up here are some tips to review before your exam,
and for everyone else on this forum:
>TEN TIPS FOR TAKING THE LAB EXAM

Read the entire exam first and check for addressing issues. Do not skip
any details or sections.

Manage your time. Make a plan to cover all the sections in the time
provided. Work out how much time you will spend on each section, keeping
in mind the point value of the questions. Don't forget to allow time at
the end to verify your solutions.

Clarify the requirements of each question. Don't assume requirements
that aren't mentioned in the question. During the lab, if you are in any
doubt, verify your understanding of the question with the proctor.

Do each question as a unit. Configure and verify before moving to the
next question. You may want to redraw the topology with all the details
available. This will help you visualize and map the network.

Troubleshoot. You must know how to troubleshoot using the tools
available. Although troubleshooting is important, don't lose too much
time working on a 2- or 3-point question. If you're caught off-guard by
an unfamiliar topic, don't stress too much over it. Work on the things
you are more comfortable with and go back to difficult items later.

Keep a list. During the exam, make notes on configurations and settings
as you move through the exam. Make a separate list for items you have
not been able to address or where you have not achieved the desired
result which you'll need to revisit.

Test your work. Never rely on a configuration done in the early hours of
the exam. There is a possibility that an item you configured a few
sections earlier can become broken and non-functional. Keep in mind that
points are awarded for working configuration only.

Save your configurations often.

Don't make any drastic changes in the last half hour of the exam.

Speed is vital on the exam. Review and practice core material the week
before the exam to ensure you can move quickly through the less
challenging questions.

Again I wish you the best of luck.
Sincerely,
John Matijevic, CCIE #13254, MCSE, CNE, CCEA
CEO
IgorTek Inc.
151 Crandon Blvd. #402
Key Biscayne, FL 33149
Hablo Espanol
305-321-6232
http://home.bellsouth.net/p/PWP-CCIE
 

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Cisco Nuts
Sent: Saturday, September 04, 2004 1:56 PM
To: matijevi@bellsouth.net
Cc: ccielab@groupstudy.com; cisco@groupstudy.com
Subject: RE: Reflexive ACL - Clarification Needed - ??

Hello John,

Thank you for your clarification:

Yes, it does work ...Actually Interestingly BOTH the solutions work
except
for a minor adjustment that is needed in BOTH for pings to work !!

In my solution, I had to permit icmp any any on the inbound acl....

And in the solution proposed by the authors, I had to permit icmp any
any
reflect TCP_Traffic on the inbound acl.........

Ok!! Have I had enough of this stuff or what???

Bewildered !!

:-(

R2#sh access-lists
Reflexive IP access list REFLECT
     permit tcp host 172.16.0.2 eq bgp host 172.16.0.3 eq 11002 (time
left
77)
     permit udp host 224.0.0.9 eq rip host 10.10.1.1 eq rip (time left
66)
Extended IP access list inbound
    10 permit tcp any any eq bgp (12 matches)
    20 permit tcp any eq bgp any
    30 permit icmp any any (30 matches)
    40 evaluate REFLECT
    50 deny ip any any (12 matches)
Extended IP access list outbound
    10 permit tcp any any reflect REFLECT
    20 permit icmp any any reflect REFLECT
    30 permit udp any any reflect REFLECT
R2#
R2#sh ip bgp
   Network Next Hop Metric LocPrf Weight Path
*> 10.2.2.0/24 0.0.0.0 0 32768 i
*> 10.3.3.0/24 172.16.0.3 0 0 300 i
*> 10.10.3.0/24 172.16.0.3 0 0 300 i

R2#ping 10.3.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms

>From: "john matijevic" <matijevi@bellsouth.net>
>Reply-To: "john matijevic" <matijevi@bellsouth.net>
>To: "'Cisco Nuts'" <cisconuts@hotmail.com>,
<ccielab@groupstudy.com>
>CC: <cisco@groupstudy.com>
>Subject: RE: Reflexive ACL - Clarification Needed - ??
>Date: Sat, 4 Sep 2004 12:55:12 -0400
>
>Hello,
>I was able to implement the answer with success.
>Did you actually try to test the answer from the book? If it does
work
>for you, what part of the answer don't you understand? If it doesn't
>work for you, please explain how the answer doesn't work for you.
>
>Sincerely,
>
>John Matijevic, CCIE #13254, MCSE, CNE, CCEA
>CEO
>IgorTek Inc.
>151 Crandon Blvd. #402
>Key Biscayne, FL 33149
>Hablo Espanol
>305-321-6232
>http://home.bellsouth.net/p/PWP-CCIE
>
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
>Cisco Nuts
>Sent: Saturday, September 04, 2004 12:10 PM
>To: ccielab@groupstudy.com
>Cc: cisco@groupstudy.com
>Subject: Reflexive ACL - Clarification Needed - ??
>
>Hello, Can someone help clarify this question on Reflexive ACL's?
Task:
>Configure a reflexive access list on R6 and apply it to the R6-a3/0
>internal interface allowing BGP and any other interesting traffic.
(R6
>connectes to BB3 via atm3/0 and is required to run BGP with BB3) My
>solution: #ip access-list ext inbound #permit tcp any any eq bgp
>#permit
>tcp any eq bgp any #evaluate REFLECT #deny ip any any #ip
access-list
>ext
>outbound #permit tcp any any reflect REFLECT #permit icmp any any
>reflect
>REFLECT #permit udp any any reflect REFLECT......(this could be
added
>too) #int atm3/0 #ip access-group inbound in #ip access-group
outbound
>out #end Solution Proposed in the book: #ip access-list ext
in_filters
>#permit
>tcp any any reflect TCP_Traffic #ip access-list ext out_filters
#permit
>tcp any any eq bgp #permit pim any any #permit icmp any any #deny ip
any
>any #evaluate TCP_Traffic #int atm3/0 #ip access-group in_filters in
#ip
>access-group out_filters out #end Having done a lot of reflexive acl
>labs
>and thought that I might have a good grasp at this topic, I feel
lost
>now
>!! What would be a correct solution to this question? This question
is
>from the Cisco Press CCIE Routing and Switching Practice Labs Book,
>Pg.332 - Lab5. Please help.Thank you kindly.
>
>-------------------------------------------------------------------- 

----
>
>Get ready for school! Find articles, homework help and more in the
Back
>to School Guide!
>
>____________________________________________________________________
___
>Please help support GroupStudy by purchasing your study materials
from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>____________________________________________________________________
___
>Please help support GroupStudy by purchasing your study materials
from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Fri Oct 01 2004 - 15:00:36 GMT-3