RE: Reflexive ACL Question

From: Antonio Soares (amsoares@netcabo.pt)
Date: Tue Jun 19 2007 - 20:10:45 ART

• Next message: Eric Dobyns: "RE: Rumor mill time - Cat 6500 on R&S lab exam?"
• Previous message: Antonio Soares: "RE: I can't get the "distance <distance> <router-id> <acl>" to"
• Maybe in reply to: Antonio Soares: "Reflexive ACL Question"
• Next in thread: Digital Yemeni: "Re: Reflexive ACL Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello group,

Your comments will be welcome.

Thanks.
Antonio

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Antonio Soares
Sent: terga-feira, 19 de Junho de 2007 17:58
To: ccielab@groupstudy.com
Subject: Reflexive ACL Question

Hello group,

Reflexive ACL's is one of my weakeast areas. I understand very well the
topic but i have problems with the tasks interpretation. Please help me
understand this one from Maurilio's Practice Labs:

1) Scenario:
Rest of the network---R6---ATM Cloud---BB

The only traffic between R6 and BB is the BGP session between them. There is
no IGP, Mcast, or anything else running over the connection between them.

2) Task:
Configure a reflexive access list on R6 and apply it to the R6-a3/0 internal
interface, allowing BGP and any other interesting traffic.

3) Solution:
!
interface ATM3/0
ip access-group in_filters in
ip access-group out_filters out
!
ip access-list extended in_filters
 permit tcp any any reflect TCP_Traffic
!
ip access-list extended out_filters
 permit tcp any any eq bgp
 permit pim any any
 permit icmp any any
 deny ip any any
 evaluate TCP_Traffic
!

4) My comments:
- It's the first time i see an evaluate command after a deny ip any any. I
know this is valid configuration, at least it works fine. But it was the
last thing i would remember to do. I usually place the evaluate entries in
the beginning.

- The task says "allow BGP and any other interesting traffic". Should we
guess here ? Why ICMP and PIM? We don't have Mcast running over the link.
For me, interesting traffic would be ICMP, TCP and UDP.

- We don't have any BGP session from the others routers in the network and
the BB router. So what is the purpose of having in the output filter the
entry "permit tcp any any eq bgp". As far as i know, R6's local traffic
won't be affected by the ACL.

- In summary, i would have 0 zero points one this one...

Thanks,
Antonio

• Next message: Eric Dobyns: "RE: Rumor mill time - Cat 6500 on R&S lab exam?"
• Previous message: Antonio Soares: "RE: I can't get the "distance <distance> <router-id> <acl>" to"
• Maybe in reply to: Antonio Soares: "Reflexive ACL Question"
• Next in thread: Digital Yemeni: "Re: Reflexive ACL Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:50 ART