RE: Reflexive ACL and traffic generated by the router

From: AdebolaA@mtnnigeria.net
Date: Tue Nov 09 2004 - 06:50:29 GMT-3

• Next message: AdebolaA@mtnnigeria.net: "RE: Reflexive ACL and traffic generated by the router"
• Previous message: Yogesh kumar: "Re: Reflexive ACL and traffic generated by the router"
• Maybe in reply to: METOO CCIE: "Reflexive ACL and traffic generated by the router"
• Next in thread: AdebolaA@mtnnigeria.net: "RE: Reflexive ACL and traffic generated by the router"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Bobby,
If I am not wrong traffic generated by your router is not affected by an
access-list bound to your egress interface as out. i.e ip access-group 100
out even if it says deny ip any any will still allow traffic generated
within the router itself. It is the in access-list that now needs to take
cognisance of return traffic in any case. In your case you will need to
concern yourself with the

ip access-list extended inboundfilters
permit tcp any any eq bgp
evaluate tcptraffic
evaluate udptraffic
evaluate icmptraffic
deny ip any any

You already have a line that says "permit tcp any any eq bgp" with BGP at
times your router is the one destined with traffic going to the registered
port 179 or at times it is the other router. I have forgotten the rule now.
So I will say if there is nothing in your lab that says explicitly which
router should initiate connection from high port (>1023) add a new line
within this ACL

Permit tcp any eq bgp any. Don't have anywhere to setup now.

I believe it should work.

Regards,
Bola

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of METOO
CCIE
Sent: 06 November 2004 01:44
To: ccielab@groupstudy.com
Subject: Reflexive ACL and traffic generated by the router

Hi gurus,

     I have the following Reflexive Access-list. It works fine. It installs
a temporary acl entries when there is traffic coming from some other router
and going out of Eth 0/0 of this router.

     However, when the traffic is generated by this router (on which the ACL
is configured), the reverse temporary entry is not created. Can someone
please tell me how to have traffic from this router also install temp ACL
entry. I have bgp, ospf & glbp working on this router and the solution
should not break those. Thanks in advance.

!
interface Ethernet0/0
ip access-group inboundfilters in
ip access-group outboundfilters out
!
ip access-list extended inboundfilters
permit tcp any any eq bgp
evaluate tcptraffic
evaluate udptraffic
evaluate icmptraffic
deny ip any any
!
ip access-list extended outboundfilters
permit tcp any any reflect tcptraffic
permit udp any any reflect udptraffic
permit icmp any any reflect icmptraffic
permit ip any any
!

Thanks
-bobby

• Next message: AdebolaA@mtnnigeria.net: "RE: Reflexive ACL and traffic generated by the router"
• Previous message: Yogesh kumar: "Re: Reflexive ACL and traffic generated by the router"
• Maybe in reply to: METOO CCIE: "Reflexive ACL and traffic generated by the router"
• Next in thread: AdebolaA@mtnnigeria.net: "RE: Reflexive ACL and traffic generated by the router"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:40 GMT-3