RE: Reflexive output ACL

From: hadek.el-ayachi@nsn.com
Date: Fri Nov 09 2007 - 07:44:43 ART

• Next message: dara tomar: "Re: I got CCIE R&S on 6 Nov"
• Previous message: sheherezada@gmail.com: "Re: OT:WAAS or WAE Training Provider"
• Maybe in reply to: hadek.el-ayachi@nsn.com: "Reflexive output ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Let me say why I asked this question. The quiery is to allow
icmp/udp/tcp from outside if it is initiated from inside. There is no
indication about what to allow from inside to outside.
However, even if Reflexive acl is there to prevent all kings of traffic
to enter network if it is not triggred from inside. Hence, if there is a
GRE traffic leaving my network, then I ll not use reflect option for
this traffic because this is neither icmp nor tcp/udp traffic.
That s it.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
ext Joseph Brunner
Sent: vendredi 9 novembre 2007 03:34
To: 'William Nellis'; 'Guyler, Rik'; 'groupstudy'
Subject: RE: Reflexive output ACL

Looking for a Proctor to help you pass, is like looking for 85' Mike
Tyson not to chin check you on your way to the mat

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
William Nellis
Sent: Thursday, November 08, 2007 4:05 PM
To: Guyler, Rik; groupstudy
Subject: Re: Reflexive output ACL

obviously, if it breaks your IGP,BGP,IGMP,PIM requirements, you need to
account for that. This is a known thing to have thrown at you. You must
solve the problem w/o breaking other req's. and yeah, if you have GRE
flowing over... that one too! But if it isn't a requirement of the lab,
don't throw it on there as "best practice". Bare minimum required to
satisfy,

Good luck Jedi... The force is strong.

When in doubt, proctor out.
 
-------------------------------------------------------
r/s
William Nellis IV
nellis_iv@yahoo.com

----- Original Message ----
From: "Guyler, Rik" <rguyler@shp-dayton.org>
To: groupstudy <ccielab@groupstudy.com>
Sent: Thursday, November 8, 2007 12:39:42 PM
Subject: RE: Reflexive output ACL

Don't do it if it isn't asked for in the requirements. If it says ICMP,
TCP and UDP then allow those and move on. When you start taking
unnecessary steps you run even greater risk of missing a required topic
due to misinterpretation.

Maybe this question really means "allow ONLY ICMP, TCP and UDP inbound"
and so allowing other non-required protocols just cost you points. Why
complicate things any more?

Rik

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
hadek.el-ayachi@nsn.com
Sent: Thursday, November 08, 2007 11:47 AM
To: ccielab@groupstudy.com
Subject: Reflexive output ACL

Hi GS,
If I am asked to permit only icmp/udp/tcp traffic inbound if it is
initiated from inside, the answer is:
      ip access-list ext FW_OUT
                  permit icmp an an reflect FW
                  permit tcp an an reflect FW
                  permit udp an an reflect FW

But, what about other protocols and futur protocols sach as igmp,
gre...? Should I add per ip any any? Does it deserve askin proctor?
Thanks for comment

E. HADEK
Nokia Siemens Networks
IP Core planner
5 rue Abou Inane- Hassan
Rabat - Maroc
Tel : +212 37 26 15 30
GSM : + 212 61 44 93 98

• Next message: dara tomar: "Re: I got CCIE R&S on 6 Nov"
• Previous message: sheherezada@gmail.com: "Re: OT:WAAS or WAE Training Provider"
• Maybe in reply to: hadek.el-ayachi@nsn.com: "Reflexive output ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:29 ART