From: Antonio Soares (amsoares@netcabo.pt)
Date: Tue Jun 19 2007 - 13:57:49 ART
Hello group,
Reflexive ACL's is one of my weakeast areas. I understand very well the
topic but i have problems with the tasks interpretation. Please help me
understand this one from Maurilio's Practice Labs:
1) Scenario:
Rest of the network---R6---ATM Cloud---BB
The only traffic between R6 and BB is the BGP session between them. There is
no IGP, Mcast, or anything else running over the connection between them.
2) Task:
Configure a reflexive access list on R6 and apply it to the R6-a3/0 internal
interface, allowing BGP and any other interesting traffic.
3) Solution:
!
interface ATM3/0
ip access-group in_filters in
ip access-group out_filters out
!
ip access-list extended in_filters
permit tcp any any reflect TCP_Traffic
!
ip access-list extended out_filters
permit tcp any any eq bgp
permit pim any any
permit icmp any any
deny ip any any
evaluate TCP_Traffic
!
4) My comments:
- It's the first time i see an evaluate command after a deny ip any any. I
know this is valid configuration, at least it works fine. But it was the
last thing i would remember to do. I usually place the evaluate entries in
the beginning.
- The task says "allow BGP and any other interesting traffic". Should we
guess here ? Why ICMP and PIM? We don't have Mcast running over the link.
For me, interesting traffic would be ICMP, TCP and UDP.
- We don't have any BGP session from the others routers in the network and
the BB router. So what is the purpose of having in the output filter the
entry "permit tcp any any eq bgp". As far as i know, R6's local traffic
won't be affected by the ACL.
- In summary, i would have 0 zero points one this one...
Thanks,
Antonio
This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:50 ART