From: Digital Yemeni (digital.yemeni@gmail.com)
Date: Tue Jun 19 2007 - 21:50:47 ART
I usually see the "reflect" being set on the OUTBOUND and the evaluate being
set in the INBOUND but yours seems to be the opposite! Myabe i should study
harder??!! :)
Anywayz, you often see the "permit tcp any any eq bgp" AND the "permit tcp
any eq bgp any" BEFORE the evaluate because the reflexive ACL is not
effective for locally generated traffic which also mean that the BGP and
other local generated traffic will be dropped IF the evaluate statement
happened to be before them!
Why ICMP and PIM,,,, maybe you overlooked other tasks that requires you to
leave these protocols flowing freely in your topology!
HTH, if not then pls wait for others to comment ;-)
On 6/20/07, Antonio Soares <amsoares@netcabo.pt> wrote:
>
> Hello group,
>
> Your comments will be welcome.
>
> Thanks.
> Antonio
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Antonio Soares
> Sent: terga-feira, 19 de Junho de 2007 17:58
> To: ccielab@groupstudy.com
> Subject: Reflexive ACL Question
>
> Hello group,
>
> Reflexive ACL's is one of my weakeast areas. I understand very well the
> topic but i have problems with the tasks interpretation. Please help me
> understand this one from Maurilio's Practice Labs:
>
> 1) Scenario:
> Rest of the network---R6---ATM Cloud---BB
>
> The only traffic between R6 and BB is the BGP session between them. There
> is
> no IGP, Mcast, or anything else running over the connection between them.
>
> 2) Task:
> Configure a reflexive access list on R6 and apply it to the R6-a3/0
> internal
> interface, allowing BGP and any other interesting traffic.
>
> 3) Solution:
> !
> interface ATM3/0
> ip access-group in_filters in
> ip access-group out_filters out
> !
> ip access-list extended in_filters
> permit tcp any any reflect TCP_Traffic
> !
> ip access-list extended out_filters
> permit tcp any any eq bgp
> permit pim any any
> permit icmp any any
> deny ip any any
> evaluate TCP_Traffic
> !
>
> 4) My comments:
> - It's the first time i see an evaluate command after a deny ip any any. I
> know this is valid configuration, at least it works fine. But it was the
> last thing i would remember to do. I usually place the evaluate entries in
> the beginning.
>
> - The task says "allow BGP and any other interesting traffic". Should we
> guess here ? Why ICMP and PIM? We don't have Mcast running over the link.
> For me, interesting traffic would be ICMP, TCP and UDP.
>
> - We don't have any BGP session from the others routers in the network and
> the BB router. So what is the purpose of having in the output filter the
> entry "permit tcp any any eq bgp". As far as i know, R6's local traffic
> won't be affected by the ACL.
>
> - In summary, i would have 0 zero points one this one...
>
>
> Thanks,
> Antonio
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- Best Regards! Digital, CCIE# to be assigned by Cisco when it collects enough $$ out of me! :p
This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:50 ART