Re: Reflexive ACL

From: John T M (john_t_mathai@hotmail.com)
Date: Sat Feb 12 2005 - 06:51:52 GMT-3

• Next message: k c: "Re: BGP Confederation"
• Previous message: k c: "Extended Access List"
• Maybe in reply to: John T M: "Reflexive ACL"
• Next in thread: John T M: "Re: Reflexive ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Nice and to the point reply. Thanks Brian, that solves by dilemma.

Regds/John
----- Original Message -----
From: "Brian Dennis" <bdennis@internetworkexpert.com>
To: "John T M" <john_t_mathai@hotmail.com>; "Group Study"
<ccielab@groupstudy.com>
Sent: Saturday, February 12, 2005 10:44 AM
Subject: RE: Reflexive ACL

> Traffic sourced by the router will not be reflected by ACL. This is
> similar to how an outbound ACL does not affect traffic sourced by the
> router (by default). If you want to test your configuration, try
> telneting from a device behind R3.
>
> The common solution to allow someone on R3 to telnet to R1 would be to
> statically permit inbound returning telnet traffic. Another solution
> would be to policy route the telnet traffic out a loopback (local
> policy) and then it will be reflected. One last "off the wall" solution
> would be to source route (i.e. bounce) the telnet traffic to a router
> behind R3 and then the traffic will be reflected. I demonstrated these
> exact scenarios in our Technologies class (IETC-RS) today.
>
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> bdennis@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada)
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> John T M
> Sent: Friday, February 11, 2005 8:19 PM
> To: Group Study
> Subject: Reflexive ACL
>
> I was trying the reflexive acl, I am perturbed that it is not working. I
> am
> I missing something here ?? Here is the config at the routers , I
> tried..
>
> R3 (S0) -------- --------------------------------(S0) R1
>
> R3 Config
> interface Serial0
> ip address 172.16.0.6 255.255.255.252
> ip access-group INCOME in
> ip access-group OUTGO out
> !
> interface Loopback0
> ip address 10.0.103.1
> !
> ip access-list extended INCOME
> permit icmp any any echo-reply
> permit udp any any eq rip
> evaluate ALLOW
> ip access-list extended OUTGO
> permit tcp any any reflect ALLOW
> !
>
>
> I tried without the ACL and I can telnet into R1, but once I put the ACL
> it
> doesn't work.
>
> Regds/John
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: k c: "Re: BGP Confederation"
• Previous message: k c: "Extended Access List"
• Maybe in reply to: John T M: "Reflexive ACL"
• Next in thread: John T M: "Re: Reflexive ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Mar 03 2005 - 08:51:20 GMT-3