Re: Reflexive ACL - IE LAB2 Q10.8-10

From: nenad pudar (nenad.pudar@gmail.com)
Date: Fri Nov 25 2005 - 17:09:02 GMT-3

• Next message: atolstykh@atfam.com: "RE: OT: Best"
• Previous message: john matijevic: "Re: OT: Best"
• Maybe in reply to: Imal kalutotage: "Re: Reflexive ACL - IE LAB2 Q10.8-10"
• Next in thread: nenad pudar: "Re: Reflexive ACL - IE LAB2 Q10.8-10"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

It is not clear to me what lab requirements are ,below I created one example
in which only the trace route is allowed.
In addition we should not break existing applications (bgp &ospf)

interface Serial0/0
 description to to r1 0/1
 ip address 172.16.66.5 255.255.255.252
 ip access-group INBOUND in
 ip access-group OUTBOUND out
 ip nat outside
 encapsulation ppp
 ip ospf hello-interval 20
 ip ospf retransmit-interval 10
 ppp authentication chap PPP
 ppp chap hostname r6
end

RTF-R6#sh ip access-lists OUTBOUND
Extended IP access list OUTBOUND
    permit tcp any any reflect TCP&UDP-TRAFFIC
    permit udp any any reflect TCP&UDP-TRAFFIC

RTF-R6#sh ip access-lists INBOUND
Extended IP access list INBOUND
    permit tcp any any eq bgp (62 matches)
    permit ospf any any (29 matches)
    permit icmp any any port-unreachable (4 matches)
    permit icmp any any time-exceeded
    evaluate TCP&UDP-TRAFFIC

RTF-R6#telnet 172.16.66.6
Trying 172.16.66.6 ...
% Connection timed out; remote host not responding

RTF-R6#ping 172.16.66.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.66.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
RTF-R6#tr 172.16.66.6

Type escape sequence to abort.
Tracing the route to 172.16.66.6

  1 172.16.66.6 16 msec * 16 msec

nenad

On 11/25/05, Brian Dennis <bdennis@internetworkexpert.com> wrote:
>
> What does a reflexive ACL do? Reflexive ACL's watch the packet
> (reflect) and allow it to return (evaluate). When a packet is reflected
> the mirror image of that packet must be the one that returns. If it is
> not, then it can not be properly evaluated. Reflexive ACLs do not work
> for any traffic that does not behave in this straight forward manner.
> Standard FTP and TFTP are examples of applications that do not work in
> this straight forward manner of a mirror image of the packet returning.
>
> In Cisco's IOS implementation of traceroute, the first packet
> sent out is a UDP packet destined to port 33434 but the packet sent back
> by the routers in the path is an ICMP time-exceeded when the TTL is
> decremented to 0. Finally in Cisco's implementation the final
> destination sends an ICMP port-unreachable.
>
> So now that we understand how traceroute is implemented by Cisco
> IOS and how reflexive ACLs work, we know that we need to "statically"
> permit ICMP time-exceeded and ICMP port-unreachables in order for
> traceroute to work.
>
> HTH,
>
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> bdennis@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada)
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Cham
> Sent: Friday, November 25, 2005 10:22 AM
> To: ccielab@groupstudy.com
> Subject: RE: Reflexive ACL - IE LAB2 Q10.8-10
>
> Hello all,
>
> With reference to IE LAB2 Q10.8-10
>
> 10.10.10.1 10.10.10.2 150.1.19.1
> 150.1.19.2
> R1(gig4/1/0)----------------(gig4/0/0) R2
> (fast0/0/0)--------(fast0/1/0)R3
>
> R2 has a Reflexive ACL on fast 0/0/0 to effect ICMP from R1 to R2
>
> interface FastEthernet0/0/0
> ip address 150.1.19.1 255.255.255.0
> ip access-group EVAL in
> ip access-group REFLECT out
> no ip proxy-arp
> half-duplex
>
> Extended IP access list EVAL
> 10 evaluate TEST
> 15 permit icmp any any time-exceeded
> 16 permit icmp any any port-unreachable (2 matches)
> 20 permit ospf any any (98 matches)
> 30 permit tcp any any eq bgp (24 matches)
>
> Extended IP access list REFLECT
> 10 permit icmp any any reflect TEST (40 matches)
> 20 permit ip any any (3 matches) o---- without this a traceroute
> form R1 will not work??
>
> I can see how the normal ICMP part of this config works. But why do I
> need the "permit ip any any" on the "REFLECT" ACL to get a trace route
> to work, I was thinking that the "permit icmp any any" would permit
> the trace route through and then reflect for an entry on the return
> path??
>
> I have also tried the below in place of the "permit icmp any any
> reflect TEST" in the "REFLECT" but this also not work?
>
> permit icmp any any time-exceeded reflect TEST
> permit icmp any any port-unreachable reflect TEST
>
> I feel my understanding of the ICMP type/code is at a loss?
>
> Thanks for any help on thisb&.
> CG
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: atolstykh@atfam.com: "RE: OT: Best"
• Previous message: john matijevic: "Re: OT: Best"
• Maybe in reply to: Imal kalutotage: "Re: Reflexive ACL - IE LAB2 Q10.8-10"
• Next in thread: nenad pudar: "Re: Reflexive ACL - IE LAB2 Q10.8-10"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Dec 01 2005 - 09:12:07 GMT-3