RE: Reflexive ACL entry question

From: Schulz, Dave (DSchulz@dpsciences.com)
Date: Thu Jan 12 2006 - 13:12:27 GMT-3

• Next message: Brandon Low: "Re: New CCIE Labs in 06"
• Previous message: ccie@rivancitadel.com: "RE: Reflexive ACL entry question"
• Maybe in reply to: Schulz, Dave: "Reflexive ACL entry question"
• Next in thread: easyman: "RE: Reflexive ACL entry question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks, guys! This helps a lot.....I tried a number of sessions and
noticed that this increments for each session....11002, 11003,
11004,11005, etc.

Dave Schulz,
Email: dschulz@dpsciences.com

-----Original Message-----
From: Russell Nelson [mailto:gerrial@rivancitadel.com] On Behalf Of
ccie@rivancitadel.com
Sent: Thursday, January 12, 2006 11:08 AM
To: 'Rick'; Schulz, Dave
Cc: ccielab@groupstudy.com
Subject: RE: Reflexive ACL entry question

Dave,

        Rick is on the right track. The port 11002 is the port that your
system chose randomly to be it's source port for the conversation. Tcp
conversations have source and destination ports. The source port is
usually
a random port higher than 1024. The initiating system will choose a
source
port then send to the receiving port which it usually a well known port
such
as 23 for telnet or 179 for BGP. From then on the conversation will take
place between the source port of 11002 and the destination port of 23. I
hope this helps to clear up the matter for you.

Russ.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Rick
Sent: Thursday, January 12, 2006 11:00 AM
To: Schulz, Dave
Cc: ccielab@groupstudy.com
Subject: Re: Reflexive ACL entry question

Most TCP applications/connections work this way. The port for the return
traffic will mostly be random and will be above 1024. Most of the apps
have a range they will choose for the random part, however that isn't
always the case and varies by different vendors.

You will notice the same thing with BGP, this is a snippet from a
neighbor
session:
Peer: 1.1.1.1+179 AS 1 Local: 2.2.2.2+1634 AS 2

This will let you know that Peer 1.1.1.1 initiated the connection using
port 179 and 2.2.2.2 responded on port 1634.

> I am working with some reflexive ACLs. Everything is working fine,
> but.....doing a telnet from router through to another....I noticed
that
> the return path was going to port 11002, rather than the expected port
> 23. I could not find any documentation on this. Does anyone have any
> information on this, or, at least point me to the information. Thanks
> in advance!
>
> R1#sh ip access
> Extended IP access list TCPIN
> 10 permit ospf any any (8 matches)
> 20 permit icmp any any (20 matches)
> 30 permit tcp any any eq telnet reflect TELNET (31 matches)
> Extended IP access list TCPOUT
> 10 permit ospf any any (1 match)
> 20 evaluate TELNET
> Reflexive IP access list TELNET
> permit tcp host 172.16.1.4 eq telnet host 192.168.1.3 eq 11002
(52
> matches) (time left 293)
>
> Dave
>
> Dave Schulz,
> Email: dschulz@dpsciences.com <mailto:dschulz@dpsciences.com >
>
>

• Next message: Brandon Low: "Re: New CCIE Labs in 06"
• Previous message: ccie@rivancitadel.com: "RE: Reflexive ACL entry question"
• Maybe in reply to: Schulz, Dave: "Reflexive ACL entry question"
• Next in thread: easyman: "RE: Reflexive ACL entry question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Feb 01 2006 - 07:45:48 GMT-3