RE: Routing protocols with Reflexive Acls

From: Simon Grace (SimonG@pcsystems.gr)
Date: Wed Oct 10 2007 - 16:25:58 ART

• Next message: joshua lauer: "RE: OT Re: !!!! Banned by Cisco !!!! [7:126999]"
• Previous message: uyota oyearone: "..Participate in an Unpaid VOIP / IP Tel. Project"
• Maybe in reply to: Joseph Brunner: "Routing protocols with Reflexive Acls"
• Next in thread: Brian McGahan: "RE: Routing protocols with Reflexive Acls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Andrew,

If I understand you correctly then the problem is Reflective access list
doesn't account for traffic sourced directly from the router with the
configured list, hence an ip local policy to send it via a loopback and
then off out of the interface to BB1.

I think that's the case, but it's a bit late here and I've been studying
all day so if I've told you a load of rubbish, apologies.

Simon.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Usankin, Andrew
Sent: Wednesday, October 10, 2007 8:44 PM
To: Joseph Brunner; Cisco certification
Subject: RE: Routing protocols with Reflexive Acls

Why would you go through so much problems?
You know you have BGP over this link, you know that BGP works over
TCP:179. So just use simple reflective access list for it. Yes, session
won't ever get established from BB1 to R6, but that's not a big dial. As
soon as R6 tries to establish session to BB1 reflective ACL will let
everything pass through.
Do I miss something?

Andrew

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Joseph Brunner
Sent: Wednesday, October 10, 2007 4:12 AM
To: 'Cisco certification'
Subject: Routing protocols with Reflexive Acls

Task 5.1 Configure a BGP peering session between R6 and BB1 using their
directly connected address

Task 7.2 Configure a traffic inspection policy on R6's G0/1 interface
that only permits return traffic that was originated within the network

              Any routing protocols previously configured must work
after this policy is applied

              If access-lists are used do not explicitly permit any
routing protocol

This deals with a reflexive acl (I guess cbac can do this too) and how
we normally permit routing protocols inbound before the EVAULATE part of
the acl which evaluates the reflexive acl. I figured a way to permit bgp
to run without configuring a permit statement in the inbound acl.

-routing protocol traffic is local policy routed to the loopback
interface

-bgp traffic is then "reflected" as it leaves R6 towards BB1

-R6's bgp peering session required "ebgp-multihop" or the peering
session would get stuck in "OpenConfirm"

-I permitted telnet also as I like to telnet to the BB's from R6 in my
rack

-I wanted to start a discussion regarding handling routing protocols
when using reflexive acl's and CBAC

R6 Config

access-list 101 permit tcp any any eq telnet

access-list 101 permit udp any any eq rip

access-list 101 permit tcp any eq bgp any

access-list 101 permit tcp any any eq bgp

ip access-list extended INBOUND

 evaluate REFLECT

ip access-list extended OUTBOUND

 permit icmp any any reflect REFLECT

 permit tcp any any reflect REFLECT

 permit udp any any reflect REFLECT

route-map POLICY permit 10

 match ip address 101

 set interface Loopback0

ip local policy route-map POLICY

interface GigabitEthernet0/1

 ip address 150.1.1.6 255.255.255.0

 ip access-group INBOUND in

 ip access-group OUTBOUND out

router bgp 100

 no synchronization

 bgp log-neighbor-changes

 network 1.1.6.6 mask 255.255.255.255

 neighbor 150.1.1.254 remote-as 54

 neighbor 150.1.1.254 ebgp-multihop 255

rack1r6#sh route-map

route-map LOCAL, permit, sequence 10

  Match clauses:

    ip address (access-lists): 101

  Set clauses:

    interface Loopback0

  Policy routing matches: 286 packets, 31464 bytes

rack1r6#sh ip bgp summ

BGP router identifier 160.1.6.6, local AS number 100

BGP table version is 27, main routing table version 27

21 network entries using 2457 bytes of memory

28 path entries using 1456 bytes of memory

14/10 BGP path/bestpath attribute entries using 1736 bytes of memory

1 BGP rrinfo entries using 24 bytes of memory

7 BGP AS-PATH entries using 168 bytes of memory

0 BGP route-map cache entries using 0 bytes of memory

0 BGP filter-list cache entries using 0 bytes of memory

BGP using 5841 total bytes of memory

BGP activity 316/295 prefixes, 551/523 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
State/PfxRcd

150.1.1.254 4 54 2210 2266 27 0 0 00:13:33
18

160.1.7.7 4 100 2265 2711 27 0 0 00:13:34
7

rack1r6#sh ip access

Extended IP access list 101

    5 permit tcp any any eq telnet (62 matches)

    10 permit udp any any eq rip (2 matches)

    20 permit tcp any eq bgp any (79 matches)

    30 permit tcp any any eq bgp (486 matches)

Extended IP access list INBOUND

    40 evaluate REFLECT

Extended IP access list OUTBOUND

    10 permit icmp any any reflect REFLECT (17 matches)

    20 permit tcp any any reflect REFLECT (5382 matches)

    30 permit udp any any reflect REFLECT (10893 matches)

Reflexive IP access list REFLECT

     permit tcp host 150.1.1.254 eq bgp host 150.1.1.6 eq 25558 (58
matches) (time left 263)

rack1r6#

• Next message: joshua lauer: "RE: OT Re: !!!! Banned by Cisco !!!! [7:126999]"
• Previous message: uyota oyearone: "..Participate in an Unpaid VOIP / IP Tel. Project"
• Maybe in reply to: Joseph Brunner: "Routing protocols with Reflexive Acls"
• Next in thread: Brian McGahan: "RE: Routing protocols with Reflexive Acls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:13 ART