RE: Relexive ACL question

From: Mike Haddad (mike.haddad@hotmail.com)
Date: Mon Apr 14 2008 - 11:54:36 ART

• Next message: Lurix: "(no subject)"
• Previous message: Alexander Belov: "RE: Very Basic ACL Question..."
• Maybe in reply to: Mike Haddad: "Relexive ACL question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello Adel,

   I understand your point. However, if we don't have local policy and allow
only icmp echo-reply R4 will not be able to ping BB3. IN the solution he
allows only Echo-reply but no echo and I tested it and R4 was not able to ping
BB3. In the solution he didn't create an local policy.

Any ideas?

Date: Mon, 14 Apr 2008 08:43:45 +0200From: adelkarim@gmail.comTo:
mike.haddad@hotmail.comSubject: Re: Relexive ACL questionCC:
ccielab@groupstudy.com
Hi Mike,

As per the task requirements, in the inbound ACL, you only need to allow "echo
replies" not "echo's" to return from BB3 and be permitted by R4. This is
required since the traffic locally generated from R4 will not have a dynamic
entry to allow it back.

Another workaround is not to allow echo replies on the inbound ACL, this way
the returning echo replies from BB3 will be denied. That's why we use local
policy routing to redirect local traffic to the loopback, this way, the
traffic going to BB3 will have an entry to allow it back into R4.

HTH
Adel
On Mon, Apr 14, 2008 at 1:19 AM, Mike Haddad <mike.haddad@hotmail.com> wrote:
Hello, THe question is in Lab 5 Task 8.1. He is asking to allow ping from R4
toBB3. My solution was:R4:interface Ethernet0/0ip access-group IN_ACL inip
access-group OUT_ACL out!ip access-list extended IN_ACLpermit icmp any any
echo-replypermit icmp any any echopermit tcp any eq telnet any
establishedpermit tcp any any eq bgppermit tcp any eq bgp anypermit udp any
any eq ripevaluate MY_REFLECTip access-list extended OUT_ACLpermit tcp any any
reflect MY_REFLECTpermit udp any any reflect MY_REFLECTpermit icmp any any
reflect MY_REFLECTThe Solution in the IE Guide was the same but without:permit
icmp any any echo -> IN the Inbound ACLIf you do test pinging to BB3 the
router sends host unreachable messages toBB3. Then in the solution guide he
says you can work arround this issue bysetting using a local policy to route
locally generated router traffic viaLo0.Is my solution considered correct?
With my solution i don't have to create theworkaround specified in the IE
Solutions guide for Lab5.Thanks in
Advance,_________________________________________________________________Turn
every day into $1000. Learn more at
SignInAndWIN.cahttp://g.msn.ca/ca55/213Pass the CCIE in six weeks,
Guaranteed!http://www.certscience.com/CCIE___________________________________
____________________________________Subscription information may be found
at:http://www.groupstudy.com/list/CCIELab.html-- RegardsAdel Karim
MansourCCIE# 20147 R&S

• Next message: Lurix: "(no subject)"
• Previous message: Alexander Belov: "RE: Very Basic ACL Question..."
• Maybe in reply to: Mike Haddad: "Relexive ACL question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu May 01 2008 - 08:25:51 ART