lock and Key ACLs

From: George Cassels \(gcassels\) (gcassels@cisco.com)
Date: Tue Apr 19 2005 - 11:06:12 GMT-3

• Next message: Oliver Grenham: "Re: Prevent a port from joining a multicast group"
• Previous message: Lee Donald: "RE: Recorded IPv6 Seminar Access"
• Next in thread: Lee Donald: "RE: lock and Key ACLs"
• Maybe reply: Lee Donald: "RE: lock and Key ACLs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

ip access-list extended inbound
 permit ospf any any
 evaluate tcptraffic
ip access-list extended outbound
 permit tcp any any reflect tcptraffic

I did the above lock and key ACL to see if it would cause issues with my
IGP. At the time I was running OSPF, but I also tried it with EIGRP and
both worked. My question is how can the above outbound ACL work with my
IGPs when I am only permitting TCP on the reflect statement. My thought
was that it should drop my neighbor relationships because I did not
allow either ip any any or ospf any any on the outbound ACL. I would
like to know how others do the lock and key ACLs:
1. like the one above (straight out of the doc cd example)?
2. do you allow just the protocols that are running over that link
through both the inbound and outbound ACL? (May cause hits on the ACL
not to reach the reflect statement)
3. do you just do an permit ip any any on the outbound ACL after the
reflect statement? (would ensure all items have a chance to hit the
reflect statement first, but would ensure all traffic out does not get
blocked) Very broad though

• Next message: Oliver Grenham: "Re: Prevent a port from joining a multicast group"
• Previous message: Lee Donald: "RE: Recorded IPv6 Seminar Access"
• Next in thread: Lee Donald: "RE: lock and Key ACLs"
• Maybe reply: Lee Donald: "RE: lock and Key ACLs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:55:00 GMT-3