From: Digital Yemeni (digital-yemeni@hotmail.com)
Date: Wed Mar 07 2007 - 23:09:49 ART
Let me read it again with you:
"TCP and UDP traffic only be permitted from vlan1 to vlan 2".
"However, TCP and UDP traffice which original from vlan 2 are not permit go
to vlan 1"
So the key here is that VLAN1-->VLAN2 which means initiated traffic is
sourced from VLAN1 Therefore, any traffic sourced from VLAN2 will be
blocked! This is exactly what reflexive ACL is designed to do! ;-)
Best Regards,
Digital
------------------------------------------------------------------------------------------------------------------
***********************************************************************************
*.* You'll NEVER succeed as a "CCIE" until you LOVE Cisco MORE than your
sleep! *.*
***********************************************************************************
I've not slept for the past 5 years and I'm expected to be busy for the next
57 years + The 5 CCIEs preparation adds on that a bit. Therefore, please be
concise on your email. Thank you!
>From: achievewoo@gmail.com
>Reply-To: achievewoo@gmail.com
>To: ccielab@groupstudy.com
>Subject: Reflective access-list over BGP
>Date: Wed, 7 Mar 2007 20:57:33 -0500
>
>Hi, GS
> Here is simply topolog
> R1--vlan 1---R2--vlan2--R3
> R1 and R3 are BGP peers, but R2 is not.
> I tried to do reflective access-list on R2, permit Routing Prtocol(BGP)
>and ICMP both inbound and outbound. TCP and UDP traffic only be permitted
>from vlan1 to vlan 2. However, TCP and UDP traffice which original from
>vlan 2 are not permit go to vlan 1.
> My configuration as follows.
>
>ip access-list extended INBOUND
> permit icmp any any
> permit tcp any any eq bgp
> permit tcp any eq bgp any
> permit tcp any any eq telnet
> permit tcp any eq telnet any
> evaluate REF
>ip access-list extended OUTBOUND
> permit icmp any any
> permit tcp any any reflect REF
> permit udp any any reflect REF
>
>Here is output
>R2#show ip access-list
>Extended IP access list INBOUND
> 10 permit icmp any any
> 20 permit eigrp any any (8829 matches)
> 30 permit tcp any any eq bgp
> 40 permit tcp any any eq telnet (370 matches)
> 50 permit tcp any eq telnet any
> 60 evaluate REF
>Extended IP access list OUTBOUND
> 10 permit icmp any any
> 20 permit tcp any any reflect REF (148 matches)
> 30 permit udp any any reflect REF
>Reflexive IP access list REF
> permit tcp host 1.1.1.1 eq bgp host 1.1.5.5 eq 18895 (24 matches)
>(time left 283)
>
>My question is why there is no match at list "30 permit tcp any any eq
>bgp"
>Should I put another list permit tcp any eq bgp any ?
>Any ideas?
>
>Thanks!
>
>My question is why there is no match at this list:
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:50 ART