From: kevin gannon (kevin@gannons.net)
Date: Wed Oct 26 2005 - 05:34:37 GMT-3
You can use a local policy map to policy route the traffic to a loopback
interface and this will cause the traffic to be matched.
Regards
Kevin
On 10/26/05, Nawaz, Ajaz <Ajaz.Nawaz@bskyb.com> wrote:
> Afaik racl's will only be applied to the specified flow traversing through
> the router. Locally generated traffic i.e. sourced from the router itself is
> not subjected to racl. Given this, the issue must lie somewhere else.
>
> It's been some days now since your post - did you find a fix ?
>
> Ajaz Nawaz
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> George Amen
> Sent: 22 October 2005 17:24
> To: Cisco certification
> Subject: Reflexive ACL: Unable to ping local Ethernet
>
> Topology:
>
> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
> | R4 | |
> | | | external network
> | Internal Net r3-e0-----|----e0-r6
> | | |
> | R5 | |
> ----------------------------- --------------------
>
> Conditions:
> - Allow all TCP, UDP, ICMP originated from internet Net
> - Allow all protocol configured (ospf, bgp)
> - and also allow r3 to ping r6
>
> R3 Configuration:
> !
> ip access-list extended in-reflect-1
> permit ospf any any
> permit tcp any eq bgp any
> permit tcp any any eq bgp
> permit icmp any any echo-reply
> evaluate help-reflect-1
> !
> ip access-list extended out-reflect-1
> permit tcp any any reflect help-reflect-1
> permit udp any any reflect help-reflect-1
> permit icmp any any reflect help-reflect-1
> !
> Rack135-R3#sh run int eth 0
> !
> interface Ethernet0
> ip address 1.1.46.3 255.255.255.0
> ip access-group in-reflect-1 in
> ip access-group out-reflect-1 out
> !
>
> After doing this config, every part of the network and protocol is
> happily doing what I wanted except "R3 cannot ping its Ethernet
> interface i.e. itself"
>
> I tried pinging from R4, R5,,, works fine,, all protocols are working
> fine,, ping to IP's behind R6 i.e. external network works,,,,, except
> R3 is not able to ping itself....
>
> Any ideas why,,, and how to fix it without creating security holes?
>
> thanks
> - GA
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> -----------------------------------------
> Information in this email may be privileged, confidential and is intended
> exclusively for the addressee. The views expressed may not be official
> policy, but the personal views of the originator. If you have received it
> in error, please notify the sender by return e-mail and delete it from your
> system. You should not reproduce, distribute, store, retransmit, use or
> disclose its contents to anyone. Please note we reserve the right to
> monitor all e-mail communication through our internal and external
> networks.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Nov 06 2005 - 22:00:54 GMT-3