Reflexive ACLs

Unanswered Question
Nov 26th, 2003
User Badges:

Hello,


Couple of questions re Reflecive ACLs.


Firstly, Why do I need the evaluate ACL. Cant I just use the "inbound" ACL on the access-group on the

interface, (The actual reflexive access-list) rather than the "inbound-eval" the acl with the evaluate command in?


Secondly, What about packets generated from the actual router, ie, eigrp, ospf, BGP etc etc for routing protocols. These

packets as they are not transient to the router dont seem to get thru. Is it becuase they are originated from

the router processor itself?


Many thx indeed,

Ken




MMmR01#

MMmR01#

!

interface Vlan50

ip address 30.96.100.18 255.255.255.252

ip access-group inbound-eval in

ip access-group outbound out

ip pim sparse-dense-mode

!

MMmR01#

MMmR01#

Reflexive IP access list inbound

permit tcp host 30.96.100.17 eq telnet host 30.96.100.62 eq 63489 (32 matches) (time left 1)

permit icmp host 30.96.100.1 host 30.96.100.42 (12 matches) (time left 206)

permit udp host 224.0.1.40 eq pim-auto-rp host 30.96.100.25 eq pim-auto-rp (3 matches) (time left 277)

permit udp host 30.96.100.1 eq snmp host 30.96.100.42 eq 60114 (11 matches) (time left 189)

permit udp host 30.96.100.2 eq snmp host 30.96.100.42 eq 60114 (62 matches) (time left 288)

permit icmp host 30.96.100.17 host 30.96.100.62 (26 matches) (time left 227)

permit icmp host 30.96.100.17 host 30.96.100.42 (12 matches) (time left 138)

permit udp host 224.0.1.39 eq pim-auto-rp host 30.96.100.25 eq pim-auto-rp (7 matches) (time left 268)

permit udp host 30.96.100.17 eq snmp host 30.96.100.42 eq 60114 (114 matches) (time left 288)

!

Extended IP access list inbound-eval

evaluate inbound

!

Extended IP access list outbound

permit ip any any reflect inbound

MMmR01#





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion