From: Cisco Nuts (cisconuts@hotmail.com)
Date: Sat Sep 04 2004 - 17:37:41 GMT-3
Makes sense now......Thank you for pointing that out !!
Now wonder in one of my other Labs I had to configure # icmp any any
echo-reply on the inbound so that this router (where the refl. acl is
configured) could ping the BB router - meaning it was responding to the
icmp echo-replies from the BB router.....
Good Job - The Brians!!
:-)
>From: Richard Dumoulin <Richard.Dumoulin@vanco.fr> >Reply-To: Richard
Dumoulin <Richard.Dumoulin@vanco.fr> >To: Scott Morris <swm@emanon.com>,
"'Cisco Nuts'" <cisconuts@hotmail.com>, matijevi@bellsouth.net >CC:
ccielab@groupstudy.com, cisco@groupstudy.com >Subject: RE : Reflexive ACL
- Clarification Needed - ?? >Date: Sat, 4 Sep 2004 20:54:58 +0100 > >I
think the issue is when the ping is generated from the router which has
>the reflexive acl configured. In this case the echo does not hit the
>outbound acl, > >--Richard > >-----Message d'origine----- >De : Scott
Morris [mailto:swm@emanon.com] >Envoyi : Saturday, September 04, 2004
9:12 PM >@ : 'Cisco Nuts'; matijevi@bellsouth.net >Cc :
ccielab@groupstudy.com; cisco@groupstudy.com >Objet : RE: Reflexive ACL -
Clarification Needed - ?? > >That's interesting that you had to make that
change. > >Docs are at:
>http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsec
>ur_c/ftrafwl/scfreflx.htm#wp1000873 > >ICMP uses particular type entries
in the temporary ACL created, so things >should be cool. > >According to
documentation, the icmp echo and echo-reply pairing SHOULD work >though
reflexive ACLs. That's been my experience in the past as well. I'd >be
interested in knowing what IOS version you were running to see whether
>this is an intentional shift in functionality or some technical boo-boo
>along the way of feature addition! :) > > >Scott Morris, CCIE4
(R&S/ISP-Dial/Security/Service Provider) #4713, CISSP, >JNCIP, et al.
>IPExpert CCIE Program Manager >IPExpert Sr. Technical Instructor
>swm@emanon.com/smorris@ipexpert.net >http://www.ipexpert.net > > >
>-----Original Message----- >From: nobody@groupstudy.com
[mailto:nobody@groupstudy.com] On Behalf Of >Cisco Nuts >Sent: Saturday,
September 04, 2004 1:56 PM >To: matijevi@bellsouth.net >Cc:
ccielab@groupstudy.com; cisco@groupstudy.com >Subject: RE: Reflexive ACL
- Clarification Needed - ?? > >Hello John, > >Thank you for your
clarification: > >Yes, it does work ...Actually Interestingly BOTH the
solutions work except >for a minor adjustment that is needed in BOTH for
pings to work !! > >In my solution, I had to permit icmp any any on the
inbound acl.... > >And in the solution proposed by the authors, I had to
permit icmp any any >reflect TCP_Traffic on the inbound acl......... >
>Ok!! Have I had enough of this stuff or what??? > >Bewildered !! > >:-(
> >R2#sh access-lists >Reflexive IP access list REFLECT > permit tcp
host 172.16.0.2 eq bgp host 172.16.0.3 eq 11002 (time left >77)
> permit udp host 224.0.0.9 eq rip host 10.10.1.1 eq rip (time left
66) >Extended IP access list inbound > 10 permit tcp any any eq bgp
(12 matches) > 20 permit tcp any eq bgp any > 30 permit icmp any
any (30 matches) > 40 evaluate REFLECT > 50 deny ip any any (12
matches) >Extended IP access list outbound > 10 permit tcp any any
reflect REFLECT > 20 permit icmp any any reflect REFLECT > 30
permit udp any any reflect REFLECT R2# R2#sh ip bgp
> Network Next Hop Metric LocPrf Weight Path >*>
10.2.2.0/24 0.0.0.0 0 32768 i >*>
10.3.3.0/24 172.16.0.3 0 0 300 i >*>
10.10.3.0/24 172.16.0.3 0 0 300 i >
>R2#ping 10.3.3.3 > >Type escape sequence to abort. >Sending 5, 100-byte
ICMP Echos to 10.3.3.3, timeout is 2 seconds: >!!!!! >Success rate is 100
percent (5/5), round-trip min/avg/max = 28/28/28 ms > > > > > >
>>From: "john matijevic" <matijevi@bellsouth.net>
>>Reply-To: "john matijevic" <matijevi@bellsouth.net>
>>To: "'Cisco Nuts'" <cisconuts@hotmail.com>,
><ccielab@groupstudy.com> >>CC: <cisco@groupstudy.com>
>>Subject: RE: Reflexive ACL - Clarification Needed - ?? >>Date:
Sat, 4 Sep 2004 12:55:12 -0400 > >Hello, >I was able to
>implement the answer with success. >>Did you actually try to test the
answer from the book? If it does work >>for you, what part of the
answer don't you understand? If it doesn't >>work for you, please
explain how the answer doesn't work for you. >> >>Sincerely, >>
>>John Matijevic, CCIE #13254, MCSE, CNE, CCEA >CEO >IgorTek
Inc. >>151 Crandon Blvd. #402 >>Key Biscayne, FL 33149 >>Hablo
Espanol >>305-321-6232 >>http://home.bellsouth.net/p/PWP-CCIE >>
>> >>-----Original Message----- >>From: nobody@groupstudy.com
[mailto:nobody@groupstudy.com] On Behalf Of >>Cisco Nuts >>Sent:
Saturday, September 04, 2004 12:10 PM >>To: ccielab@groupstudy.com
>>Cc: cisco@groupstudy.com >>Subject: Reflexive ACL - Clarification
Needed - ?? >> >>Hello, Can someone help clarify this question on
Reflexive ACL's? Task: >>Configure a reflexive access list on R6 and
apply it to the R6-a3/0 >>internal interface allowing BGP and any
other interesting traffic. (R6 >>connectes to BB3 via atm3/0 and is
required to run BGP with BB3) My >>solution: #ip access-list ext
inbound #permit tcp any any eq bgp >>#permit >tcp any eq bgp any
#evaluate REFLECT #deny ip any any #ip >access-list >ext >outbound
#permit tcp any any reflect REFLECT #permit >icmp any any >reflect
>REFLECT #permit udp any any reflect >REFLECT......(this could be
added >>too) #int atm3/0 #ip access-group inbound in #ip access-group
outbound >>out #end Solution Proposed in the book: #ip access-list ext
in_filters >>#permit >tcp any any reflect TCP_Traffic #ip
access-list ext >out_filters #permit >tcp any any eq bgp #permit pim
any any #permit icmp >any any #deny ip any >any #evaluate TCP_Traffic
#int atm3/0 #ip >access-group in_filters in #ip >access-group
out_filters out #end Having >done a lot of reflexive acl >labs >and
thought that I might have a >good grasp at this topic, I feel lost
>now >!! What would be a correct >solution to this question? This
question is >from the Cisco Press CCIE >Routing and Switching Practice
Labs Book, >>Pg.332 - Lab5. Please help.Thank you kindly. >>
>>------------------------------------------------------------------------
>> >>Get ready for school! Find articles, homework help and more in
the Back >>to School Guide! >>
>>_______________________________________________________________________
>>Please help support GroupStudy by purchasing your study materials
from: >>http://shop.groupstudy.com >> >>Subscription information
may be found at: >>http://www.groupstudy.com/list/CCIELab.html >>
>>_______________________________________________________________________
>>Please help support GroupStudy by purchasing your study materials
from: >>http://shop.groupstudy.com >> >>Subscription information
may be found at: >>http://www.groupstudy.com/list/CCIELab.html >
>_________________________________________________________________
>Express yourself instantly with MSN Messenger! Download today - it's
FREE! >http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ >
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com > >Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html >
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com > >Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html > >
>**********************************************************************
>Any opinions expressed in the email are those of the individual and not
>necessarily the company. This email and any files transmitted with it
are >confidential and solely for the use of the intended recipient. If
you are not >the intended recipient or the person responsible for
delivering it to the >intended recipient, be advised that you have
received this email in error and >that any dissemination, distribution,
copying or use is strictly prohibited. > >If you have received this email
in error, or if you are concerned with the >content of this email please
e-mail to: e-security.support@vanco.info > >The contents of an attachment
to this e-mail may contain software viruses >which could damage your own
computer system. While the sender has taken every >reasonable precaution
to minimise this risk, we cannot accept liability for >any damage which
you sustain as a result of software viruses. You should carry >out your
own virus checks before opening any attachments to this e-mail.
>********************************************************************** >
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com > >Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
------------------------------------------------------------------------