From: john matijevic (matijevi@bellsouth.net)
Date: Sat Oct 30 2004 - 12:25:44 GMT-3
Hello Gladston,
In this particular scenario the Ethernet doesn't come into play here.
You are correct you have to watch the wording here, but basically the
difference is with internal interface, you just swap the entries for the
outbound and the inbound access-lists. Please look at the bottom of the
document, where it talks about internal and external interface, and
hopefully should make more sense.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/
fsecur_c/ftrafwl/scfreflx.htm#1001187
Sincerely,
John Matijevic, CCIE #13254, MCSE, CNE, CCEA
CEO
IgorTek Inc.
151 Crandon Blvd. #402
Key Biscayne, FL 33149
Hablo Espanol
305-321-6232
http://home.bellsouth.net/p/PWP-CCIE
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
gladston@br.ibm.com
Sent: Saturday, October 30, 2004 10:58 AM
To: ccielab@groupstudy.com
Subject: Reflexive List - Internal
If the task says to apply a reflexive list on R6-atm3/0 internal
interface, and R6 is connected to the remote router BB through ATM, I
figure out that R6 is the internal router and BB is the external router.
But I must be missing something. I do not agree with the direction used
on the Lab5 CiscoPress.
I read a Threat sometime ago in GroupStudy about this
(http://www.groupstudy.com/archives/cisco/200409/msg00117.html) (and
thanks John Matijevic for the Ten Tips).What is not clear for me is the
direction used.
R6(atm)--------(atm)BB
If R6 (atm) is internal, R6 packets going out of R6 should be reflected
(analysed to open holes on the opposite direction).
Or I am misundertanding it and the wording means the opposite site (BB)
is the internal network. If so, why use Reflexive list on R6? (ok, the
lab question is not intended to have real sense).
The solution used on the book is:
R6
int atm 3/0
ip access-group in-filters in
ip access-group out-filter out
!
ip access-list extended in-filters
permit tcp any any reflect tcp-traffic
!
ip access-list extended out-filters
permit tcp any any eq bgp
permit pim any any
permit icmp any any
deny ip any any
evaluate tcp-traffic
(you can see there is an error, "evaluate tcp-traffic" is after 'deny ip
any any', but it is not the subject of this threat).
What I think would be right, considering R6-atm the internal interface
is:
R6
int atm 3/0
ip access-group in-filters in
ip access-group out-filter out
!
ip access-list extended out-filters
permit tcp any any reflect tcp-traffic
permit pim any any
permit icmp any any
!
ip access-list extended in-filters
evaluate tcp-traffic
permit icmp any any
permit pim any any
permit tcp any any eq bgp
But the wording on the task is confusing me; if R6-atm is the internal
interface, the external interface would be R6 ethernet, and in that case
the solution used on the lab makes sense. Any help?
This archive was generated by hypermail 2.1.4 : Sat Nov 06 2004 - 17:11:54 GMT-3