From: Derek Pocoroba (dpocoroba@gmail.com)
Date: Thu Sep 06 2007 - 13:48:30 ART
Using PBR for the purpose of marking traffic in a reflexive ACL will work. I
always thought this was one of the neater things learned from IE.
see below:
Rack1R1#show ip access-l
Extended IP access list 101
10 permit tcp any any eq telnet
20 permit icmp any any
Extended IP access list INBOUND
10 evaluate MYFW
20 permit udp any any eq rip
Reflexive IP access list MYFW
Extended IP access list OUTBOUND
10 permit tcp any any reflect MYFW
20 permit udp any any reflect MYFW
30 permit icmp any any reflect MYFW
Rack1R1#pi 150.1.3.3 re 2
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 150.1.3.3, timeout is 2 seconds:
*Mar 1 00:49:30.863: ICMP: dst (10.10.100.1) administratively prohibited
unreac
hable sent to 150.1.3.3.
*Mar 1 00:49:32.859: ICMP: dst (10.10.100.1) administratively prohibited
unreac
hable sent to 150.1.3.3.
Success rate is 0 percent (0/2)
Rack1R1#tel 150.1.3.3
Trying 150.1.3.3 ...
*Mar 1 00:49:38.551: ICMP: dst (10.10.100.1) administratively prohibited
unreac
hable sent to 150.1.3.3
*Mar 1 00:49:40.555: ICMP: dst (10.10.100.1) administratively prohibited
unreac
hable sent to 150.1.3.3
% Connection timed out; remote host not responding
Rack1R1#
Rack1R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack1R1(config)#ip local policy route-map PBR
Rack1R1(config)#do pi 150.1.3.3 re 2
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 150.1.3.3, timeout is 2 seconds:
!!
Success rate is 100 percent (2/2), round-trip min/avg/max = 92/94/96 ms
Rack1R1(config)#
*Mar 1 00:49:56.663: ICMP: echo reply rcvd, src 150.1.3.3, dst 10.10.100.1
*Mar 1 00:49:56.763: ICMP: echo reply rcvd, src 150.1.3.3, dst 10.10.100.1
Rack1R1(config)#do tel 150.1.3.3
Trying 150.1.3.3 ... Open
User Access Verification
Password:
Rack1R3>
Rack1R1(config)#do show ip access-l
Extended IP access list 101
10 permit tcp any any eq telnet (16 matches)
20 permit icmp any any (2 matches)
Extended IP access list INBOUND
10 evaluate MYFW
20 permit udp any any eq rip (6 matches)
Reflexive IP access list MYFW
permit tcp host 150.1.3.3 eq telnet host 10.10.100.1 eq 57067 (40
matches)
(time left 295)
permit icmp host 150.1.3.3 host 10.10.100.1 (8 matches) (time left
284)
Extended IP access list OUTBOUND
10 permit tcp any any reflect MYFW (16 matches)
20 permit udp any any reflect MYFW
30 permit icmp any any reflect MYFW (2 matches)
Rack1R1(config)#do show run | be PBR
ip local policy route-map PBR
!
ip access-list extended INBOUND
evaluate MYFW
permit udp any any eq rip
ip access-list extended OUTBOUND
permit tcp any any reflect MYFW
permit udp any any reflect MYFW
permit icmp any any reflect MYFW
access-list 101 permit tcp any any eq telnet
access-list 101 permit icmp any any
no cdp run
!
route-map PBR permit 10
match ip address 101
set interface Loopback0
!
!
Rack1R1(config)#
HTH
On 9/6/07, Sadiq Yakasai <sadiqtanko@gmail.com> wrote:
>
> Thanks for the reply guys.
>
> Well, I have heard this mentioned in IE Ver 4 CoD videos that this is
> an option, its also been demostrated in their in thier workbook Vol II
> labs 2 (Task 9.4) & 5 (Task 8.1) .
>
> I would love it if anyone from IE could comment on this please.
>
> Thanks
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- Derek Pocoroba CCIE #18559
This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:09 ART