Re: Reflexive List - Internal

From: ccie2be (ccie2be@nyc.rr.com)
Date: Sat Oct 30 2004 - 12:16:32 GMT-3

• Next message: ccie2be: "Fw: Layer 2 EtherChannels on Routers"
• Previous message: ccie2be: "Re: IEWB Lab 16 - 8.1-4 QOS Doubt."
• Maybe in reply to: gladston@br.ibm.com: "Reflexive List - Internal"
• Next in thread: john matijevic: "RE: Reflexive List - Internal"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I think this is a case where they're just trying to confuse us, probably
inadvertantly.

You are right, the reflect acl should be applied to outbound traffic and the
evaluate acl should be applied to inbound traffic.

They got it all screwed up - at least that's what I think.

HTH, Tim

----- Original Message -----
From: <gladston@br.ibm.com>
To: <ccielab@groupstudy.com>
Sent: Saturday, October 30, 2004 10:57 AM
Subject: Reflexive List - Internal

> If the task says to apply a reflexive list on R6-atm3/0 internal
interface, and R6 is connected to the remote router BB through ATM, I figure
out that R6 is the internal router and BB is the external router.
>
> But I must be missing something. I do not agree with the direction used on
the Lab5 CiscoPress.
>
> I read a Threat sometime ago in GroupStudy about this
(http://www.groupstudy.com/archives/cisco/200409/msg00117.html) (and thanks
John Matijevic for the Ten Tips).What is not clear for me is the direction
used.
>
> R6(atm)--------(atm)BB
>
> If R6 (atm) is internal, R6 packets going out of R6 should be reflected
(analysed to open holes on the opposite direction).
> Or I am misundertanding it and the wording means the opposite site (BB) is
the internal network. If so, why use Reflexive list on R6? (ok, the lab
question is not intended to have real sense).
>
> The solution used on the book is:
>
> R6
> int atm 3/0
> ip access-group in-filters in
> ip access-group out-filter out
> !
> ip access-list extended in-filters
> permit tcp any any reflect tcp-traffic
> !
> ip access-list extended out-filters
> permit tcp any any eq bgp
> permit pim any any
> permit icmp any any
> deny ip any any
> evaluate tcp-traffic
>
> (you can see there is an error, "evaluate tcp-traffic" is after 'deny ip
any any', but it is not the subject of this threat).
>
> What I think would be right, considering R6-atm the internal interface is:
>
> R6
> int atm 3/0
> ip access-group in-filters in
> ip access-group out-filter out
> !
> ip access-list extended out-filters
> permit tcp any any reflect tcp-traffic
> permit pim any any
> permit icmp any any
> !
> ip access-list extended in-filters
> evaluate tcp-traffic
> permit icmp any any
> permit pim any any
> permit tcp any any eq bgp
>
> But the wording on the task is confusing me; if R6-atm is the internal
interface, the external interface would be R6 ethernet, and in that case the
solution used on the lab makes sense. Any help?
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: ccie2be: "Fw: Layer 2 EtherChannels on Routers"
• Previous message: ccie2be: "Re: IEWB Lab 16 - 8.1-4 QOS Doubt."
• Maybe in reply to: gladston@br.ibm.com: "Reflexive List - Internal"
• Next in thread: john matijevic: "RE: Reflexive List - Internal"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Nov 06 2004 - 17:11:54 GMT-3