Re: Reflexive access-list

From: Leigh Harrison (ccileigh@gmail.com)
Date: Thu Oct 06 2005 - 12:48:34 GMT-3

• Next message: mani poopal: "Re: Reflexive access-list"
• Previous message: Jim Feldman: "RE: Ping Script should work but doesn't"
• Maybe in reply to: dusth@comcast.net: "Reflexive access-list"
• Next in thread: mani poopal: "Re: Reflexive access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Howdy,

 From your access-lists below, it reads:-

in_filters
let any tcp traffic come in and give it a flag of "TCP_Traffic"

out_filters
let in any bgp
let in any pim
let in any icmp
(if you've got the reflect at the bottom)
if any of this traffic is returning from something I sent out (check the
"TCP_Traffic" list) the let that in too

It seems like a strange access-list to me, if you are only allowing out
tcp and nothing else - as it would not allow out any icmp traffic, etc.

LH

dusth@comcast.net wrote:

> Leigh, you are right my typo. Then the in_filters list does not
> reflect anythingelse except tcp for bgp. How others traffic entering
> the network?Dustin
>
>
> -------------- Original message --------------
>
> > Hey Dustin,
> >
> > Your missing a line out there.
> >
> > On the out_filters list, at the bottom, you need to have in
> "evaluate
> > TCP_Traffic" or whatever the name of you reflected traffic is.
> >
> > This is the flag that tells the router to have a look to see if
> there
> > was an outbound connection made and if this is traffic coming
> back in.
> >
> > LH
> >
> >
> > dusth@comcast.net wrote:
> >
> > >Hi all, I'm reading the cisco press ccie routing and switching
> practice labs by
> > martin duggan and Maurulio gorito. On lab 5, says allow bgp and
> any other
> > traffic, and here is the config on the book:
> > >ip access-list extended in_filters
> > > permit tcp an an reflect TCP_Traffic
> > >ip access-list extended out_filters
> > > permit tcp an an eq bgp
> > >permit pim an an
> > >permit icmp an an
> > >int atm3/0
> > > ip access-group in_filters in
> > >ip access-group out_filters out
> > >I just wonder why the in access-list only reflect tcp traffic
> but not others.
> > Should others traffic are implicitly denied? Or, others traffic
> are just not
> > reflected?
> > >
> > >Thanks for any explanation.
> > >
> > >dustin
> > >
> >
> >_______________________________________________________________________
>
> > >Subscription information may be found at:
> > >http://www.groupstudy.com/list/CCIELab.html
> >
> >
> _______________________________________________________________________
>
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

• Next message: mani poopal: "Re: Reflexive access-list"
• Previous message: Jim Feldman: "RE: Ping Script should work but doesn't"
• Maybe in reply to: dusth@comcast.net: "Reflexive access-list"
• Next in thread: mani poopal: "Re: Reflexive access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Nov 06 2005 - 22:00:49 GMT-3