Re: Relexive ACL question

From: Adel Karim (adelkarim@gmail.com)
Date: Mon Apr 14 2008 - 03:43:45 ART

• Next message: Adel Karim: "Re: IE lab 17 Switching Task"
• Previous message: Thomas Perrier: "Re: IOS SLB feature"
• Maybe in reply to: Mike Haddad: "Relexive ACL question"
• Next in thread: Mike Haddad: "RE: Relexive ACL question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Mike,

As per the task requirements, in the inbound ACL, you only need to allow
"echo replies" not "echo's" to return from BB3 and be permitted by R4. This
is required since the traffic locally generated from R4 will not have a
dynamic entry to allow it back.

Another workaround is not to allow echo replies on the inbound ACL, this way
the returning echo replies from BB3 will be denied. That's why we use
local policy routing to redirect local traffic to the loopback, this way,
the traffic going to BB3 will have an entry to allow it back into R4.

HTH
Adel

On Mon, Apr 14, 2008 at 1:19 AM, Mike Haddad <mike.haddad@hotmail.com>
wrote:

> Hello,
>
> THe question is in Lab 5 Task 8.1. He is asking to allow ping from R4 to
> BB3. My solution was:
>
> R4:
> interface Ethernet0/0
> ip access-group IN_ACL in
> ip access-group OUT_ACL out
> !
> ip access-list extended IN_ACL
> permit icmp any any echo-reply
> permit icmp any any echo
> permit tcp any eq telnet any established
> permit tcp any any eq bgp
> permit tcp any eq bgp any
> permit udp any any eq rip
> evaluate MY_REFLECT
> ip access-list extended OUT_ACL
> permit tcp any any reflect MY_REFLECT
> permit udp any any reflect MY_REFLECT
> permit icmp any any reflect MY_REFLECT
>
>
> The Solution in the IE Guide was the same but without:
> permit icmp any any echo -> IN the Inbound ACL
>
> If you do test pinging to BB3 the router sends host unreachable messages
> to
> BB3. Then in the solution guide he says you can work arround this issue by
> setting using a local policy to route locally generated router traffic via
> Lo0.
>
> Is my solution considered correct? With my solution i don't have to create
> the
> workaround specified in the IE Solutions guide for Lab5.
>
> Thanks in Advance,
>
> _________________________________________________________________
> Turn every day into $1000. Learn more at SignInAndWIN.ca
> http://g.msn.ca/ca55/213
>
>
> Pass the CCIE in six weeks, Guaranteed!
> http://www.certscience.com/CCIE
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>

-- 
Regards
Adel Karim Mansour
CCIE# 20147 R&S
Pass the CCIE in six weeks, Guaranteed!
http://www.certscience.com/CCIE

• Next message: Adel Karim: "Re: IE lab 17 Switching Task"
• Previous message: Thomas Perrier: "Re: IOS SLB feature"
• Maybe in reply to: Mike Haddad: "Relexive ACL question"
• Next in thread: Mike Haddad: "RE: Relexive ACL question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu May 01 2008 - 08:25:50 ART