Re: Reflexive access-list

From: Jian Gu (guxiaojian@gmail.com)
Date: Thu Oct 06 2005 - 13:58:37 GMT-3

• Next message: Jim Feldman: "TCL script support on Cat's"
• Previous message: Edwards, Andrew M: "RE: ICMP and UDP flooding"
• Maybe in reply to: dusth@comcast.net: "Reflexive access-list"
• Next in thread: Nawaz, Ajaz: "RE: Reflexive access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Mani,

Your statement is not true, depends on your network topology, reflexive ACL
can be configured both inbound and outbound. This is clearly explained in
the following url:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecu
r_c/ftrafwl/scfreflx.htm
Jian

On 10/6/05, mani poopal <mani_ccie@yahoo.com> wrote:
>
> Hi
>
> I think there is some thing wrong in the config, always reflect (put a
> seal) for outbound traffic(which should be permitted) and evaluate the same
> traffic(relected) in the inbound direction, in your config you are
> reflecting inbound(in_filters) and it could be wrong. In the inbound
> direction permit whatever intereresting traffic(ping, ospf, bgp etc) and
> finally gvie evlauate XXXX command. In the outbound access-list you can
> define traffic to be reflected and any traffic defined without relect
> keyword, cannot comeback. Hope this helps.
>
>
> Mani
>
> dusth@comcast.net wrote:
> Hi all, I'm reading the cisco press ccie routing and switching practice
> labs by martin duggan and Maurulio gorito. On lab 5, says allow bgp and any
> other traffic, and here is the config on the book:
> ip access-list extended in_filters
> permit tcp an an reflect TCP_Traffic
> ip access-list extended out_filters
> permit tcp an an eq bgp
> permit pim an an
> permit icmp an an
> int atm3/0
> ip access-group in_filters in
> ip access-group out_filters out
> I just wonder why the in access-list only reflect tcp traffic but not
> others. Should others traffic are implicitly denied? Or, others traffic are
> just not reflected?
>
> Thanks for any explanation.
>
> dustin
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> B.ENG,MCSE,CCNP,CCSP,CCIE#14645
> (416)431 9929
> MANI_CCIE@YAHOO.COM
>
> ---------------------------------
> Yahoo! for Good
> Click here to donate to the Hurricane Katrina relief effort.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Jim Feldman: "TCL script support on Cat's"
• Previous message: Edwards, Andrew M: "RE: ICMP and UDP flooding"
• Maybe in reply to: dusth@comcast.net: "Reflexive access-list"
• Next in thread: Nawaz, Ajaz: "RE: Reflexive access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Nov 06 2005 - 22:00:49 GMT-3