RE: Reflexive ACL - IE LAB2 Q10.8-10
From: Cham (chamandeep.gill@gmail.com)
Date: Fri Nov 25 2005 - 15:22:24 GMT-3
Hello all,
With reference to IE LAB2 Q10.8-10
10.10.10.1 10.10.10.2 150.1.19.1 150.1.19.2
R1(gig4/1/0)----------------(gig4/0/0) R2 (fast0/0/0)--------(fast0/1/0)R3
R2 has a Reflexive ACL on fast 0/0/0 to effect ICMP from R1 to R2
interface FastEthernet0/0/0
ip address 150.1.19.1 255.255.255.0
ip access-group EVAL in
ip access-group REFLECT out
no ip proxy-arp
half-duplex
Extended IP access list EVAL
10 evaluate TEST
15 permit icmp any any time-exceeded
16 permit icmp any any port-unreachable (2 matches)
20 permit ospf any any (98 matches)
30 permit tcp any any eq bgp (24 matches)
Extended IP access list REFLECT
10 permit icmp any any reflect TEST (40 matches)
20 permit ip any any (3 matches) o��---- without this a traceroute
form R1 will not work??
I can see how the normal ICMP part of this config works. But why do I
need the "permit ip any any" on the "REFLECT" ACL to get a trace route
to work, I was thinking that the "permit icmp any any" would permit
the trace route through and then reflect for an entry on the return
path??
I have also tried the below in place of the "permit icmp any any
reflect TEST" in the "REFLECT" but this also not work?
permit icmp any any time-exceeded reflect TEST
permit icmp any any port-unreachable reflect TEST
I feel my understanding of the ICMP type/code is at a loss?
Thanks for any help on thisb&.
CG
This archive was generated by hypermail 2.1.4
: Thu Dec 01 2005 - 09:12:07 GMT-3