Re: reflexive ACL

From: shi bindong (bindong.shi@gmail.com)
Date: Mon Jul 17 2006 - 06:41:50 ART

• Next message: Russell Kelly \(rukelly\): "UPDATE: Default-Information Blocking in EIGRP Not Working"
• Previous message: Ivan: "Re: reflexive ACL"
• Maybe in reply to: bindong.shi@gmail.com: "reflexive ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

so, these 2 commands is used for permitting traceroutem, right?

On 7/17/06, Ivan <ivan@iip.net> wrote:
>
> Traceroute send ICMP or UDP to destination, increase ttl by 1 for each
> attempt.
> If used UDP traceroute (destination port 33434) and destination is reached
> target host reply with ICMP port unreacheable. Since this port don't use
> any
> application. Traceroute app on source host get this ICMP-code suppose that
> it
> get last-hop response.
>
> ICMP time-exceed is sent in 2 cases.
> 1) when TTL is 0 after decrementation. Router discard datagram and send
> this
> code to source of packet.
> 2) when all fragment of datagram do not arrive at the destination host
> within
> certain time.
> This normal traceroute behaviour.
>
>
>
> > not able to understand the example in the IEWB 3.0 Lab 3 task 9.1:
> >
> > 1).The network admin has requested that r6's connection to BB1 to be
> > secured, configure R6 so that only allows TCP, UDP and ICMP traffic in
> from
> > BB1 if it was originated from behind R6. 2).Ensure that user behind R6
> > still can traceroute to hosts beyond the frame cloud (BB1).
> >
> > the solution:
> > r6
> > interface s0/0
> > ip access-group incoming in
> > ip access-group outgoing out
> >
> > ip access-list extended incoming
> > permit icmp any any time-exceeded
> > permit icmp any any port-unreachable
> > permit udp any any eq rip
> > permit tcp any eq bgp any
> > permit tcp any any eq bgp
> > evaluate MY-REFLECT
> >
> > ip access-list extended outgoing
> > permit tcp any any reflect MY-REFLECT
> > permit udp any any reflect MY-REFLECT
> > permit icmp any any reflect MY-REFLECT
> >
> > I cannot understand question 2 and the solution"permit icmp any any
> > time-exceeded" and "permit icmp any any port-unreachable".
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> --
> Ivan
>

-- 
your friends
bindong

• Next message: Russell Kelly \(rukelly\): "UPDATE: Default-Information Blocking in EIGRP Not Working"
• Previous message: Ivan: "Re: reflexive ACL"
• Maybe in reply to: bindong.shi@gmail.com: "reflexive ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Aug 01 2006 - 07:13:47 ART