From: Lee Donald (Lee.Donald@t-systems.co.uk)
Date: Tue Apr 19 2005 - 11:25:17 GMT-3
Hi George,
This is a Reflexive access-list not Lock and Key.
Also in answer to your question, traffic generated by the router will not
hit any access-list you have configured on it. So you only have to allow
routing protocol traffic back in from neighbours etc.
HTH
Lee.
-----Original Message-----
From: George Cassels (gcassels) [mailto:gcassels@cisco.com]
Sent: Tuesday, April 19, 2005 3:06 PM
To: ccielab@groupstudy.com
Subject: lock and Key ACLs
ip access-list extended inbound
permit ospf any any
evaluate tcptraffic
ip access-list extended outbound
permit tcp any any reflect tcptraffic
I did the above lock and key ACL to see if it would cause issues with my
IGP. At the time I was running OSPF, but I also tried it with EIGRP and
both worked. My question is how can the above outbound ACL work with my
IGPs when I am only permitting TCP on the reflect statement. My thought was
that it should drop my neighbor relationships because I did not allow either
ip any any or ospf any any on the outbound ACL. I would like to know how
others do the lock and key ACLs: 1. like the one above (straight out of the
doc cd example)? 2. do you allow just the protocols that are running over
that link through both the inbound and outbound ACL? (May cause hits on the
ACL not to reach the reflect statement) 3. do you just do an permit ip any
any on the outbound ACL after the reflect statement? (would ensure all
items have a chance to hit the reflect statement first, but would ensure all
traffic out does not get
blocked) Very broad though
This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:55:00 GMT-3