RE: Reflexive ACL - Clarification Needed - ??

From: Scott Morris (swm@emanon.com)
Date: Sat Sep 04 2004 - 17:10:11 GMT-3

Well, that would be very true in that case! if not triggering the inbound
ACL, then you'll never get the temp entry made!

I think I was wondering it since the solution was the "any any" which
implied that it was passing through the router and not just a reply to the
router itself.

Scott

  _____

From: Richard Dumoulin [mailto:Richard.Dumoulin@vanco.fr]
Sent: Saturday, September 04, 2004 3:55 PM
To: Scott Morris; 'Cisco Nuts'; matijevi@bellsouth.net
Cc: ccielab@groupstudy.com; cisco@groupstudy.com
Subject: RE : Reflexive ACL - Clarification Needed - ??

I think the issue is when the ping is generated from the router which has
the reflexive acl configured. In this case the echo does not hit the
outbound acl,

--Richard

-----Message d'origine-----
De : Scott Morris [mailto:swm@emanon.com]
Envoyi : Saturday, September 04, 2004 9:12 PM
@ : 'Cisco Nuts'; matijevi@bellsouth.net
Cc : ccielab@groupstudy.com; cisco@groupstudy.com
Objet : RE: Reflexive ACL - Clarification Needed - ??

That's interesting that you had to make that change.

Docs are at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsec

ur_c/ftrafwl/scfreflx.htm#wp1000873

ICMP uses particular type entries in the temporary ACL created, so things
should be cool.

According to documentation, the icmp echo and echo-reply pairing SHOULD work

though reflexive ACLs. That's been my experience in the past as well. I'd
be interested in knowing what IOS version you were running to see whether
this is an intentional shift in functionality or some technical boo-boo
along the way of feature addition! :)

Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, CISSP,
JNCIP, et al.
IPExpert CCIE Program Manager
IPExpert Sr. Technical Instructor
swm@emanon.com/smorris@ipexpert.net
http://www.ipexpert.net

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Cisco Nuts
Sent: Saturday, September 04, 2004 1:56 PM
To: matijevi@bellsouth.net
Cc: ccielab@groupstudy.com; cisco@groupstudy.com
Subject: RE: Reflexive ACL - Clarification Needed - ??

Hello John,

Thank you for your clarification:

Yes, it does work ...Actually Interestingly BOTH the solutions work except
for a minor adjustment that is needed in BOTH for pings to work !!

In my solution, I had to permit icmp any any on the inbound acl....

And in the solution proposed by the authors, I had to permit icmp any any
reflect TCP_Traffic on the inbound acl.........

Ok!! Have I had enough of this stuff or what???

Bewildered !!

:-(

R2#sh access-lists
Reflexive IP access list REFLECT
     permit tcp host 172.16.0.2 eq bgp host 172.16.0.3 eq 11002 (time left
77)
     permit udp host 224.0.0.9 eq rip host 10.10.1.1 eq rip (time left 66)
Extended IP access list inbound
    10 permit tcp any any eq bgp (12 matches)
    20 permit tcp any eq bgp any
    30 permit icmp any any (30 matches)
    40 evaluate REFLECT
    50 deny ip any any (12 matches)
Extended IP access list outbound
    10 permit tcp any any reflect REFLECT
    20 permit icmp any any reflect REFLECT
    30 permit udp any any reflect REFLECT R2# R2#sh ip bgp
   Network Next Hop Metric LocPrf Weight Path
*> 10.2.2.0/24 0.0.0.0 0 32768 i
*> 10.3.3.0/24 172.16.0.3 0 0 300 i
*> 10.10.3.0/24 172.16.0.3 0 0 300 i

R2#ping 10.3.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms

>From: "john matijevic" <matijevi@bellsouth.net>
>Reply-To: "john matijevic" <matijevi@bellsouth.net>
>To: "'Cisco Nuts'" <cisconuts@hotmail.com>,
<ccielab@groupstudy.com>
>CC: <cisco@groupstudy.com>
>Subject: RE: Reflexive ACL - Clarification Needed - ??
>Date: Sat, 4 Sep 2004 12:55:12 -0400 > >Hello, >I was able to
implement the answer with success.
>Did you actually try to test the answer from the book? If it does work
>for you, what part of the answer don't you understand? If it doesn't
>work for you, please explain how the answer doesn't work for you.
>
>Sincerely,
>
>John Matijevic, CCIE #13254, MCSE, CNE, CCEA >CEO >IgorTek Inc.
>151 Crandon Blvd. #402
>Key Biscayne, FL 33149
>Hablo Espanol
>305-321-6232
>http://home.bellsouth.net/p/PWP-CCIE
>
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>Cisco Nuts
>Sent: Saturday, September 04, 2004 12:10 PM
>To: ccielab@groupstudy.com
>Cc: cisco@groupstudy.com
>Subject: Reflexive ACL - Clarification Needed - ??
>
>Hello, Can someone help clarify this question on Reflexive ACL's? Task:
>Configure a reflexive access list on R6 and apply it to the R6-a3/0
>internal interface allowing BGP and any other interesting traffic. (R6
>connectes to BB3 via atm3/0 and is required to run BGP with BB3) My
>solution: #ip access-list ext inbound #permit tcp any any eq bgp
>#permit >tcp any eq bgp any #evaluate REFLECT #deny ip any any #ip
access-list >ext >outbound #permit tcp any any reflect REFLECT #permit

icmp any any >reflect >REFLECT #permit udp any any reflect
REFLECT......(this could be added
>too) #int atm3/0 #ip access-group inbound in #ip access-group outbound
>out #end Solution Proposed in the book: #ip access-list ext in_filters
>#permit >tcp any any reflect TCP_Traffic #ip access-list ext
out_filters #permit >tcp any any eq bgp #permit pim any any #permit icmp
any any #deny ip any >any #evaluate TCP_Traffic #int atm3/0 #ip
access-group in_filters in #ip >access-group out_filters out #end Having
done a lot of reflexive acl >labs >and thought that I might have a
good grasp at this topic, I feel lost >now >!! What would be a correct

solution to this question? This question is >from the Cisco Press CCIE
Routing and Switching Practice Labs Book,
>Pg.332 - Lab5. Please help.Thank you kindly.
>
>------------------------------------------------------------------------

>
>Get ready for school! Find articles, homework help and more in the Back
>to School Guide!
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Fri Oct 01 2004 - 15:00:36 GMT-3