RE: Reflexive ACL - IE LAB2 Q10.8-10

From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Fri Nov 25 2005 - 16:12:41 GMT-3

        What does a reflexive ACL do? Reflexive ACL's watch the packet
(reflect) and allow it to return (evaluate). When a packet is reflected
the mirror image of that packet must be the one that returns. If it is
not, then it can not be properly evaluated. Reflexive ACLs do not work
for any traffic that does not behave in this straight forward manner.
Standard FTP and TFTP are examples of applications that do not work in
this straight forward manner of a mirror image of the packet returning.

        In Cisco's IOS implementation of traceroute, the first packet
sent out is a UDP packet destined to port 33434 but the packet sent back
by the routers in the path is an ICMP time-exceeded when the TTL is
decremented to 0. Finally in Cisco's implementation the final
destination sends an ICMP port-unreachable.

        So now that we understand how traceroute is implemented by Cisco
IOS and how reflexive ACLs work, we know that we need to "statically"
permit ICMP time-exceeded and ICMP port-unreachables in order for
traceroute to work.

HTH,

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
 
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
 

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Cham
Sent: Friday, November 25, 2005 10:22 AM
To: ccielab@groupstudy.com
Subject: RE: Reflexive ACL - IE LAB2 Q10.8-10

Hello all,

With reference to IE LAB2 Q10.8-10

10.10.10.1 10.10.10.2 150.1.19.1
150.1.19.2
R1(gig4/1/0)----------------(gig4/0/0) R2
(fast0/0/0)--------(fast0/1/0)R3

R2 has a Reflexive ACL on fast 0/0/0 to effect ICMP from R1 to R2

interface FastEthernet0/0/0
 ip address 150.1.19.1 255.255.255.0
 ip access-group EVAL in
 ip access-group REFLECT out
 no ip proxy-arp
 half-duplex

Extended IP access list EVAL
    10 evaluate TEST
    15 permit icmp any any time-exceeded
    16 permit icmp any any port-unreachable (2 matches)
    20 permit ospf any any (98 matches)
    30 permit tcp any any eq bgp (24 matches)

Extended IP access list REFLECT
    10 permit icmp any any reflect TEST (40 matches)
    20 permit ip any any (3 matches) o---- without this a traceroute
form R1 will not work??

I can see how the normal ICMP part of this config works. But why do I
need the "permit ip any any" on the "REFLECT" ACL to get a trace route
to work, I was thinking that the "permit icmp any any" would permit
the trace route through and then reflect for an entry on the return
path??

I have also tried the below in place of the "permit icmp any any
reflect TEST" in the "REFLECT" but this also not work?

permit icmp any any time-exceeded reflect TEST
permit icmp any any port-unreachable reflect TEST

I feel my understanding of the ICMP type/code is at a loss?

Thanks for any help on thisb&.
CG

This archive was generated by hypermail 2.1.4 : Thu Dec 01 2005 - 09:12:07 GMT-3