RE: Reflexive ACL - Clarification Needed - ??

From: Cisco Nuts (cisconuts@hotmail.com)
Date: Sat Sep 04 2004 - 15:52:30 GMT-3

John,

Thank you very much for your help.

Sincerely.

>From: "john matijevic" <matijevi@bellsouth.net> >Reply-To: "john
matijevic" <matijevi@bellsouth.net> >To: "'Cisco Nuts'"
<cisconuts@hotmail.com> >CC: <ccielab@groupstudy.com>,
<cisco@groupstudy.com> >Subject: RE: Reflexive ACL - Clarification Needed
- ?? >Date: Sat, 4 Sep 2004 14:20:11 -0400 > >Hello, >Looks like you are
correct in that you would need to allow the icmp >traffic back through in
order to get the ping to work. I will have to >relab this up again, and
test the pings. I originally got this to work >because I saw that my BGP
was working after the reflexive acl, but did >not test the ping. Also
please post this error on my forum. Also I know >your exam is coming up
here are some tips to review before your exam, >and for everyone else on
this forum: > >TEN TIPS FOR TAKING THE LAB EXAM > >Read the entire exam
first and check for addressing issues. Do not skip >any details or
sections. > > >Manage your time. Make a plan to cover all the sections in
the time >provided. Work out how much time you will spend on each
section, keeping >in mind the point value of the questions. Don't forget
to allow time at >the end to verify your solutions. > > >Clarify the
requirements of each question. Don't assume requirements >that aren't
mentioned in the question. During the lab, if you are in any >doubt,
verify your understanding of the question with the proctor. > > >Do each
question as a unit. Configure and verify before moving to the >next
question. You may want to redraw the topology with all the details
>available. This will help you visualize and map the network. > >
>Troubleshoot. You must know how to troubleshoot using the tools
>available. Although troubleshooting is important, don't lose too much
>time working on a 2- or 3-point question. If you're caught off-guard by
>an unfamiliar topic, don't stress too much over it. Work on the things
>you are more comfortable with and go back to difficult items later. > >
>Keep a list. During the exam, make notes on configurations and settings
>as you move through the exam. Make a separate list for items you have
>not been able to address or where you have not achieved the desired
>result which you'll need to revisit. > > >Test your work. Never rely on
a configuration done in the early hours of >the exam. There is a
possibility that an item you configured a few >sections earlier can
become broken and non-functional. Keep in mind that >points are awarded
for working configuration only. > > >Save your configurations often. > >
>Don't make any drastic changes in the last half hour of the exam. > >
>Speed is vital on the exam. Review and practice core material the week
>before the exam to ensure you can move quickly through the less
>challenging questions. > >Again I wish you the best of luck. >Sincerely,
>John Matijevic, CCIE #13254, MCSE, CNE, CCEA >CEO >IgorTek Inc. >151
Crandon Blvd. #402 >Key Biscayne, FL 33149 >Hablo Espanol >305-321-6232
>http://home.bellsouth.net/p/PWP-CCIE > > >-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>Cisco Nuts >Sent: Saturday, September 04, 2004 1:56 PM >To:
matijevi@bellsouth.net >Cc: ccielab@groupstudy.com; cisco@groupstudy.com
>Subject: RE: Reflexive ACL - Clarification Needed - ?? > >Hello John, >
>Thank you for your clarification: > >Yes, it does work ...Actually
Interestingly BOTH the solutions work >except >for a minor adjustment
that is needed in BOTH for pings to work !! > >In my solution, I had to
permit icmp any any on the inbound acl.... > >And in the solution
proposed by the authors, I had to permit icmp any >any >reflect
TCP_Traffic on the inbound acl......... > >Ok!! Have I had enough of this
stuff or what??? > >Bewildered !! > >:-( > >R2#sh access-lists >Reflexive
IP access list REFLECT > permit tcp host 172.16.0.2 eq bgp host
172.16.0.3 eq 11002 (time >left >77) > permit udp host 224.0.0.9 eq
rip host 10.10.1.1 eq rip (time left >66) >Extended IP access list
inbound > 10 permit tcp any any eq bgp (12 matches) > 20 permit
tcp any eq bgp any > 30 permit icmp any any (30 matches) > 40
evaluate REFLECT > 50 deny ip any any (12 matches) >Extended IP
access list outbound > 10 permit tcp any any reflect REFLECT > 20
permit icmp any any reflect REFLECT > 30 permit udp any any reflect
REFLECT >R2# >R2#sh ip bgp > Network Next
Hop Metric LocPrf Weight Path >*>
10.2.2.0/24 0.0.0.0 0 32768 i >*>
10.3.3.0/24 172.16.0.3 0 0 300 i >*>
10.10.3.0/24 172.16.0.3 0 0 300 i >
>R2#ping 10.3.3.3 > >Type escape sequence to abort. >Sending 5, 100-byte
ICMP Echos to 10.3.3.3, timeout is 2 seconds: >!!!!! >Success rate is 100
percent (5/5), round-trip min/avg/max = 28/28/28 ms > > > > > >
>&gt;From: &quot;john matijevic&quot; &lt;matijevi@bellsouth.net&gt;
>&gt;Reply-To: &quot;john matijevic&quot; &lt;matijevi@bellsouth.net&gt;
>&gt;To: &quot;'Cisco Nuts'&quot; &lt;cisconuts@hotmail.com&gt;,
>&lt;ccielab@groupstudy.com&gt; >&gt;CC: &lt;cisco@groupstudy.com&gt;
>&gt;Subject: RE: Reflexive ACL - Clarification Needed - ?? >&gt;Date:
Sat, 4 Sep 2004 12:55:12 -0400 >&gt; >&gt;Hello, >&gt;I was able to
implement the answer with success. >&gt;Did you actually try to test the
answer from the book? If it does >work >&gt;for you, what part of the
answer don't you understand? If it doesn't >&gt;work for you, please
explain how the answer doesn't work for you. >&gt; >&gt;Sincerely, >&gt;
>&gt;John Matijevic, CCIE #13254, MCSE, CNE, CCEA >&gt;CEO >&gt;IgorTek
Inc. >&gt;151 Crandon Blvd. #402 >&gt;Key Biscayne, FL 33149 >&gt;Hablo
Espanol >&gt;305-321-6232 >&gt;http://home.bellsouth.net/p/PWP-CCIE >&gt;
>&gt; >&gt;-----Original Message----- >&gt;From: nobody@groupstudy.com
[mailto:nobody@groupstudy.com] On Behalf >Of >&gt;Cisco Nuts >&gt;Sent:
Saturday, September 04, 2004 12:10 PM >&gt;To: ccielab@groupstudy.com
>&gt;Cc: cisco@groupstudy.com >&gt;Subject: Reflexive ACL - Clarification
Needed - ?? >&gt; >&gt;Hello, Can someone help clarify this question on
Reflexive ACL's? >Task: >&gt;Configure a reflexive access list on R6 and
apply it to the R6-a3/0 >&gt;internal interface allowing BGP and any
other interesting traffic. >(R6 >&gt;connectes to BB3 via atm3/0 and is
required to run BGP with BB3) My >&gt;solution: #ip access-list ext
inbound #permit tcp any any eq bgp >&gt;#permit >&gt;tcp any eq bgp any
#evaluate REFLECT #deny ip any any #ip >access-list >&gt;ext
>&gt;outbound #permit tcp any any reflect REFLECT #permit icmp any any
>&gt;reflect >&gt;REFLECT #permit udp any any reflect REFLECT......(this
could be >added >&gt;too) #int atm3/0 #ip access-group inbound in #ip
access-group >outbound >&gt;out #end Solution Proposed in the book: #ip
access-list ext >in_filters >&gt;#permit >&gt;tcp any any reflect
TCP_Traffic #ip access-list ext out_filters >#permit >&gt;tcp any any eq
bgp #permit pim any any #permit icmp any any #deny ip >any >&gt;any
#evaluate TCP_Traffic #int atm3/0 #ip access-group in_filters in >#ip
>&gt;access-group out_filters out #end Having done a lot of reflexive acl
>&gt;labs >&gt;and thought that I might have a good grasp at this topic,
I feel >lost >&gt;now >&gt;!! What would be a correct solution to this
question? This question >is >&gt;from the Cisco Press CCIE Routing and
Switching Practice Labs Book, >&gt;Pg.332 - Lab5. Please help.Thank you
kindly. >&gt;
>&gt;--------------------------------------------------------------------
>---- >&gt; >&gt;Get ready for school! Find articles, homework help and
more in the >Back >&gt;to School Guide! >&gt;
>&gt;____________________________________________________________________
>___ >&gt;Please help support GroupStudy by purchasing your study
materials >from: >&gt;http://shop.groupstudy.com >&gt; >&gt;Subscription
information may be found at:
>&gt;http://www.groupstudy.com/list/CCIELab.html >&gt;
>&gt;____________________________________________________________________
>___ >&gt;Please help support GroupStudy by purchasing your study
materials >from: >&gt;http://shop.groupstudy.com >&gt; >&gt;Subscription
information may be found at:
>&gt;http://www.groupstudy.com/list/CCIELab.html >
>_________________________________________________________________
>Express yourself instantly with MSN Messenger! Download today - it's
>FREE! >http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ >
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com > >Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html >
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com > >Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

------------------------------------------------------------------------

On the road to retirement? Check out MSN Life Events for advice on how to
get there!

This archive was generated by hypermail 2.1.4 : Fri Oct 01 2004 - 15:00:36 GMT-3