Re: Reflexive ACL - IE LAB2 Q10.8-10
From: Imal kalutotage (imal.kalutotage@gmail.com)
Date: Fri Nov 25 2005 - 15:27:17 GMT-3
I have also experienced this, If you want to permit only traceroute, it
seems u cannot do it..
You have to permit ip any any between those hosts..
May be a bug..
Cheers
Imal
On 11/25/05, Cham <chamandeep.gill@gmail.com> wrote:
>
> Hello all,
>
> With reference to IE LAB2 Q10.8-10
>
> 10.10.10.1 10.10.10.2 150.1.19.1 150.1.19.2
> R1(gig4/1/0)----------------(gig4/0/0) R2 (fast0/0/0)--------(fast0/1/0)R3
>
> R2 has a Reflexive ACL on fast 0/0/0 to effect ICMP from R1 to R2
>
> interface FastEthernet0/0/0
> ip address 150.1.19.1 255.255.255.0
> ip access-group EVAL in
> ip access-group REFLECT out
> no ip proxy-arp
> half-duplex
>
> Extended IP access list EVAL
> 10 evaluate TEST
> 15 permit icmp any any time-exceeded
> 16 permit icmp any any port-unreachable (2 matches)
> 20 permit ospf any any (98 matches)
> 30 permit tcp any any eq bgp (24 matches)
>
> Extended IP access list REFLECT
> 10 permit icmp any any reflect TEST (40 matches)
> 20 permit ip any any (3 matches) o��---- without this a traceroute
> form R1 will not work??
>
> I can see how the normal ICMP part of this config works. But why do I
> need the "permit ip any any" on the "REFLECT" ACL to get a trace route
> to work, I was thinking that the "permit icmp any any" would permit
> the trace route through and then reflect for an entry on the return
> path??
>
> I have also tried the below in place of the "permit icmp any any
> reflect TEST" in the "REFLECT" but this also not work?
>
> permit icmp any any time-exceeded reflect TEST
> permit icmp any any port-unreachable reflect TEST
>
> I feel my understanding of the ICMP type/code is at a loss?
>
> Thanks for any help on thisb&.
> CG
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4
: Thu Dec 01 2005 - 09:12:07 GMT-3