RE: RE: Reflexive Access List

From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Sat Aug 30 2003 - 23:17:36 GMT-3

• Next message: navaid@rogers.com: "Re: RE: RE: Reflexive Access List"
• Previous message: System Administrator: "Undeliverable: Re: Re: My details"
• Maybe in reply to: Jonathan V Hays: "RE: Reflexive Access List"
• Next in thread: navaid@rogers.com: "Re: RE: RE: Reflexive Access List"
• Maybe reply: navaid@rogers.com: "Re: RE: RE: Reflexive Access List"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Create a policy to forward the traffic out a loopback. Then the traffic
will be affected by an outbound ACL on the router itself.

Rack8R5#sho ip int s0/0 | in Inter
  Internet address is 144.8.243.5/24
Rack8R5#ping 144.8.243.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 144.8.243.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/30/32 ms
Rack8R5#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack8R5(config)#access-list 150 deny icmp any any
Rack8R5(config)#access-list 150 per ip any any
Rack8R5(config)#int s0/0
Rack8R5(config-if)#ip access-group 150 out
Rack8R5(config-if)#do ping 144.8.243.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 144.8.243.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/31/32 ms
Rack8R5(config-if)#do sho ip access-list 150
Extended IP access list 150
    10 deny icmp any any
    20 permit ip any any
Rack8R5(config-if)#route-map LOCAL_TRAFFIC
Rack8R5(config-route-map)#set interface lo 0
Rack8R5(config-route-map)#exit
Rack8R5(config)#ip local policy route-map LOCAL_TRAFFIC
Rack8R5(config)#do ping 144.8.243.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 144.8.243.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Rack8R5(config)#do sho ip access-list 150
Extended IP access list 150
    10 deny icmp any any (5 matches)
    20 permit ip any any
Rack8R5(config)#

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com Toll Free: 877-334-8987
Direct: 775-745-6404 (Outside the US and Canada)
Internetwork Expert, Inc.
http://www.InternetworkExpert.com

-----Original Message-----
From: navaid@rogers.com [mailto:navaid@rogers.com]
Sent: Saturday, August 30, 2003 12:34 PM
To: Brian Dennis; 'christopher snow'; ccielab@groupstudy.com
Subject: Re: RE: Reflexive Access List

Brian,
How can we force traffic originated by the router to be affected by an
outbound ACL ?
Thanks,
Navaid

>
> From: "Brian Dennis" <bdennis@internetworkexpert.com>
> Date: 2003/08/30 Sat PM 03:04:11 EDT
> To: "'christopher snow'" <cbsnow31@yahoo.com>,
<ccielab@groupstudy.com>
> Subject: RE: Reflexive Access List
>
> Chris,
> The outbound ACL is not needed since traffic "originated" by the
router
> itself will not be affected by an outbound ACL*. Since this is the
case
> traffic originated by the router does not get "reflected" by a
> reflective ACL. This means that all traffic originated by the router
> itself will need to be manually permitted with the inbound ACL.
>
> It is common to permit routing protocols inbound but also remember if
> you need to ping or telnet to other routers from the router with the
> reflective ACL you'll have to manually add the ACL entries inbound for
> this traffic to return.
>
> * By default. There is a way to force traffic originated by the router
> to be affected by an outbound ACL.
>
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> bdennis@internetworkexpert.com
> Toll Free: 877-334-8987
> Direct: 775-745-6404 (Outside the US and Canada)
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> christopher snow
> Sent: Saturday, August 30, 2003 9:53 AM
> To: ccielab@groupstudy.com
> Subject: Reflexive Access List
>
> I have a question in regards to relexive access lists.
> I have the following config:
>
> ip access-list extended inbound
> evaluate icmp_traffic
> evaluate tcp_traffic
> permit ospf any any
> ip access-list extended outbound
> permit icmp any any reflect icmp_traffic
> permit tcp any any reflect tcp_traffic
>
> -----
> The access-list works fine but I originally had ospf
> permit any any applied to both the inbound and
> oubound. When I compared my configs to the solution,
> the solutin only had ospf permit any any applied to
> the inbound. I removed it and it still works. I then
> removed it from the inbound and the neighbors dropped.
> Why is the ospf statement not needed on the outbound
> side. It would have assumed that it would be blocked
> unless specifically permited.
>
> Chris Snow
>
> __________________________________
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software
> http://sitebuilder.yahoo.com
>
>
>

• Next message: navaid@rogers.com: "Re: RE: RE: Reflexive Access List"
• Previous message: System Administrator: "Undeliverable: Re: Re: My details"
• Maybe in reply to: Jonathan V Hays: "RE: Reflexive Access List"
• Next in thread: navaid@rogers.com: "Re: RE: RE: Reflexive Access List"
• Maybe reply: navaid@rogers.com: "Re: RE: RE: Reflexive Access List"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:54:11 GMT-3