reflexive ACL

From: bindong.shi@gmail.com
Date: Mon Jul 17 2006 - 05:59:48 ART

• Next message: Kulcsár: "RE: BGP Bestpath selection"
• Previous message: Elias Chari: "Re: All Subnet below."
• Next in thread: Ivan: "Re: reflexive ACL"
• Maybe reply: Ivan: "Re: reflexive ACL"
• Maybe reply: shi bindong: "Re: reflexive ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

not able to understand the example in the IEWB 3.0 Lab 3 task 9.1:

1).The network admin has requested that r6's connection to BB1 to be secured, configure R6 so that only allows TCP, UDP and ICMP traffic in from BB1 if it was originated from behind R6.
2).Ensure that user behind R6 still can traceroute to hosts beyond the frame cloud (BB1).
 
the solution:
r6
interface s0/0
ip access-group incoming in
ip access-group outgoing out

ip access-list extended incoming
permit icmp any any time-exceeded
permit icmp any any port-unreachable
permit udp any any eq rip
permit tcp any eq bgp any
permit tcp any any eq bgp
evaluate MY-REFLECT

ip access-list extended outgoing
permit tcp any any reflect MY-REFLECT
permit udp any any reflect MY-REFLECT
permit icmp any any reflect MY-REFLECT

I cannot understand question 2 and the solution"permit icmp any any time-exceeded" and "permit icmp any any port-unreachable".

• Next message: Kulcsár: "RE: BGP Bestpath selection"
• Previous message: Elias Chari: "Re: All Subnet below."
• Next in thread: Ivan: "Re: reflexive ACL"
• Maybe reply: Ivan: "Re: reflexive ACL"
• Maybe reply: shi bindong: "Re: reflexive ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Aug 01 2006 - 07:13:47 ART